CVE-2018-20225
Summary
| CVE | CVE-2018-20225 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-05-08 18:15:00 UTC |
| Updated | 2023-11-07 02:56:00 UTC |
| Description | ** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
Risk And Classification
Problem Types: CWE-20
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| 1835736 – (CVE-2018-20225) CVE-2018-20225 python-pip: when --extra-index-url option is used and package does not already exist in the public index, the installation of malicious package with arbitrary version number is possible. | MISC | bugzilla.redhat.com | |
| Arbitrary code execution from pip's "—extra-index-url" | cowlicks | MISC | cowlicks.website | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | |
| Release Notes — pip 19.0.2 documentation | MISC | pip.pypa.io | Release Notes, Vendor Advisory |
| Pony Mail! | lists.apache.org | ||
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.