CVE-2013-5123

high-risk
Published 2019-11-05

The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.

Do I need to act?

!
12.4% chance of exploitation in next 30 days
EPSS score — higher than 88% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
24086
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10 Medium
NETWORK / HIGH complexity

Affected Products (10)

Pip

Affected Vendors

Debian Redhat Fedoraproject Pypa Virtualenv

References (16)

Mailing List http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155248.html
Mailing List http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155291.html
Mailing List http://www.openwall.com/lists/oss-security/2013/08/21/17
Mailing List http://www.openwall.com/lists/oss-security/2013/08/21/18
Broken Link http://www.securityfocus.com/bid/77520
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-5123
Issue Tracking https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-5123
Third Party Advisory https://security-tracker.debian.org/tracker/CVE-2013-5123
Mailing List http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155248.html
Mailing List http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155291.html
Mailing List http://www.openwall.com/lists/oss-security/2013/08/21/17
Mailing List http://www.openwall.com/lists/oss-security/2013/08/21/18
Broken Link http://www.securityfocus.com/bid/77520
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-5123
Issue Tracking https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-5123
Third Party Advisory https://security-tracker.debian.org/tracker/CVE-2013-5123
53
/ 100
high-risk
Severity 18/34 · Moderate
Exploitability 19/34 · Moderate
Exposure 16/34 · Moderate