Miggo Logo

CVE-2013-5123: Improper Authentication in pip

5.9

CVSS Score
3.1

Basic Information

EPSS Score
0.93695%
Published
5/24/2022
Updated
10/14/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
pippip< 1.51.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure package validation when using mirrors. The provided patches show critical changes to distlib's version parsing logic (PEP 426 compliance). These functions directly process package metadata used in authenticity checks. The regex expansion and tuple handling fixes indicate previous version validation weaknesses that could be exploited via malicious mirror packages. While the DNS/mirror logic isn't shown in these patches, the version parsing improvements in distlib 0.1.6 directly address the authentication aspect of CVE-2013-5123.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** mirrorin* support (-M, --us*-mirrors) in Pyt*on Pip ***or* *.* us*s ins**ur* *NS qu*ryin* *n* *ut**nti*ity ****ks w*i** *llows *tt**k*rs to p*r*orm m*n-in-t**-mi**l* *tt**ks.

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* p**k*** `v*li**tion` w**n usin* mirrors. T** provi*** p*t***s s*ow *riti**l ***n**s to `*istli*`'s v*rsion p*rsin* lo*i* (P*P *** *ompli*n**). T**s* *un*tions *ir**tly `pro**ss` p**k*** m*t***t* us** in *ut**nti*