CVE-2013-5123: Improper Authentication in pip
5.9
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.93695%
CWE
Published
5/24/2022
Updated
10/14/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
pip | pip | < 1.5 | 1.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insecure package validation
when using mirrors. The provided patches show critical changes to distlib
's version parsing logic (PEP 426 compliance). These functions directly process
package metadata used in authenticity checks. The regex expansion and tuple handling fixes indicate previous version validation
weaknesses that could be exploited via malicious mirror packages. While the DNS/mirror
logic isn't shown in these patches, the version parsing improvements in distlib 0.1.6
directly address the authentication aspect of CVE-2013-5123
.