High severityNVD Advisory· Published Aug 6, 2013· Updated Apr 29, 2026
CVE-2013-1633
CVE-2013-1633
Description
easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
setuptoolsPyPI | < 0.7 | 0.7 |
Affected products
11cpe:2.3:a:python:setuptools:*:*:*:*:*:*:*:*+ 10 more
- cpe:2.3:a:python:setuptools:*:*:*:*:*:*:*:*range: <=0.7b4
- cpe:2.3:a:python:setuptools:0.6.40:*:*:*:*:*:*:*
- cpe:2.3:a:python:setuptools:0.6.41:*:*:*:*:*:*:*
- cpe:2.3:a:python:setuptools:0.6.42:*:*:*:*:*:*:*
- cpe:2.3:a:python:setuptools:0.6.43:*:*:*:*:*:*:*
- cpe:2.3:a:python:setuptools:0.6.44:*:*:*:*:*:*:*
- cpe:2.3:a:python:setuptools:0.6.45:*:*:*:*:*:*:*
- cpe:2.3:a:python:setuptools:0.6.46:*:*:*:*:*:*:*
- cpe:2.3:a:python:setuptools:0.6.47:*:*:*:*:*:*:*
- cpe:2.3:a:python:setuptools:0.6.48:*:*:*:*:*:*:*
- cpe:2.3:a:python:setuptools:0.6.49:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-27x4-j476-jp5fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-1633ghsaADVISORY
- pypi.python.org/pypi/setuptools/0.9.8nvdVendor AdvisoryWEB
- www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_aghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/setuptools/PYSEC-2013-22.yamlghsaWEB
- www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/nvd
News mentions
0No linked articles in our index yet.