Vulnerability Details : CVE-2013-1888
pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.
Products affected by CVE-2013-1888
- cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:18:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*
- cpe:2.3:a:pypa:pip:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-1888
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-1888
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:N/I:P/A:N |
3.9
|
2.9
|
NIST |
CWE ids for CVE-2013-1888
-
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-1888
-
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105952.html
[SECURITY] Fedora 18 Update: python-virtualenv-1.9.1-1.fc18Third Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106311.html
[SECURITY] Fedora 19 Update: python-virtualenv-1.9.1-1.fc19Third Party Advisory
-
https://github.com/pypa/pip/pull/780/files
/tmp/pip-build fixes by qwcode · Pull Request #780 · pypa/pip · GitHubPatch;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2013/03/22/10
oss-security - Re: CVE Request: python-pip insecure temporary directory handlingMailing List;Third Party Advisory
-
https://github.com/pypa/pip/issues/725
/tmp/pip-build not secure · Issue #725 · pypa/pip · GitHubThird Party Advisory
-
https://github.com/pypa/pip/pull/734/files
Fix #725 and #729. /tmp/pip-build issues by d1b · Pull Request #734 · pypa/pip · GitHubPatch;Third Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105989.html
[SECURITY] Fedora 17 Update: python-virtualenv-1.9.1-1.fc17Third Party Advisory
Jump to