High severityNVD Advisory· Published Sep 29, 2014· Updated May 6, 2026

CVE-2013-2100

Description

The urlopen function in pym/portage/util/_urlopen.py in Gentoo Portage 2.1.12, when using HTTPS, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and modify binary package lists via a crafted certificate.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
portagePyPI	< 2.1.12.2	2.1.12.2

Affected products

Gentoo/Portage
cpe:2.3:a:gentoo:portage:2.1.12:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

bugs.gentoo.org/show_bug.cginvdPatchWEB
openwall.com/lists/oss-security/2013/05/15/5nvdExploitWEB
github.com/advisories/GHSA-8823-xphr-qw9vghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2013-2100ghsaADVISORY
openwall.com/lists/oss-security/2013/05/16/3nvdWEB
exchange.xforce.ibmcloud.com/vulnerabilities/84315nvdWEB
github.com/pypa/advisory-database/tree/main/vulns/portage/PYSEC-2014-115.yamlghsaWEB
security.gentoo.org/glsa/201507-16nvdWEB
www.securityfocus.com/bid/59878nvd

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000