CVE-2013-1630 — pyshop vulnerable to man-in-the-middle attacks due to using HTTP to retrieve pac

Description

pyshop before 0.7.1 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a download operation.

How to fix CVE-2013-1630

To remediate CVE-2013-1630, upgrade the affected package to a fixed version below.

PyPI/pyshop—upgrade to 0.7.1 or later
PyPI/pyshop—upgrade to ffadb0bcdef1e385884571670210cfd6ba351784 or later

Is CVE-2013-1630 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.7.1
from 0, < ffadb0bcdef1e385884571670210cfd6ba351784 | from 0, < 0.7.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References (8)

ADVISORYgithub.com/advisories/GHSA-f594-f3v3-g649
ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-1630
PATCHgithub.com/mardiros/pyshop
WEBgithub.com/mardiros/pyshop/blob/master/CHANGES.txt
WEB