{"id":"PYSEC-2013-22","details":"easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.","aliases":["CVE-2013-1633","GHSA-27x4-j476-jp5f"],"modified":"2023-11-08T03:57:14.525408Z","published":"2013-08-06T02:52:00Z","references":[{"type":"WEB","url":"http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/"},{"type":"WEB","url":"https://pypi.python.org/pypi/setuptools/0.9.8#changes"}],"affected":[{"package":{"name":"setuptools","ecosystem":"PyPI","purl":"pkg:pypi/setuptools"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.7"}]}],"versions":["0.6b1","0.6b2","0.6b3","0.6b4","0.6c1","0.6c10","0.6c11","0.6c2","0.6c3","0.6c4","0.6c5","0.6c6","0.6c7","0.6c8","0.6c9"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/setuptools/PYSEC-2013-22.yaml"}}],"schema_version":"1.7.3"}