Page 2 of 6 results (0.003 seconds)

CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1

pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation. “pip” anterior a v1.3 utiliza HTTP para recuperar paquetes del repositorio PyPI, y no realiza comprobaciones de integridad en el contenido del paquete, que permite a atacantes man-in-the-middle ejecutar código arbitrario a través de una respuesta diseñada a una operación de "pip install". • http://www.pip-installer.org/en/latest/installing.html http://www.pip-installer.org/en/latest/news.html#changelog http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a https://bugzilla.redhat.com/show_bug.cgi?id=968059 https://github.com/pypa/pip/issues/425 https://github.com/pypa/pip/pull/791/files • CWE-20: Improper Input Validation •