pyshop before 0.7.1 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a download operation.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| guillaume_gauvrit | pyshop | 0.6 |
| guillaume_gauvrit | pyshop | 0.2 |
| guillaume_gauvrit | pyshop | 0.4 |
| guillaume_gauvrit | pyshop | * |
| guillaume_gauvrit | pyshop | 0.3 |
| guillaume_gauvrit | pyshop | 0.1 |
| guillaume_gauvrit | pyshop | 0.5 |