CVE-2018-20225

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-20225

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-20225.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-20225

Related

Withdrawn

2020-06-01T16:05:34Z

Published

2020-05-08T18:15:10Z

Modified

2024-08-07T02:51:10.515575Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely

References

Affected packages

Debian:11 / python-pip

Package

Name: python-pip
Purl: pkg:deb/debian/python-pip?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.3.4-4

20.3.4-4+deb11u1

21.*

21.3.1+dfsg-1

21.3.1+dfsg-2

21.3.1+dfsg-3

22.*

22.0.2+dfsg-1

22.1+dfsg-1

22.1.1+dfsg-1

22.2+dfsg-1

22.3+dfsg-1

22.3.1+dfsg-1

22.3.1+dfsg-2

23.*

23.0+dfsg-1

23.0+dfsg-2

23.0.1+dfsg-1

23.1.2+dfsg-1

23.1.2+dfsg-2

23.2+dfsg-1

23.2.1+dfsg-1

23.3+dfsg-1

24.*

24.0+dfsg-1

24.0+dfsg-2

24.1+dfsg-1

24.1.1+dfsg-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:12 / python-pip

Package

Name: python-pip
Purl: pkg:deb/debian/python-pip?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

23.*

23.0.1+dfsg-1

23.1.2+dfsg-1

23.1.2+dfsg-2

23.2+dfsg-1

23.2.1+dfsg-1

23.3+dfsg-1

24.*

24.0+dfsg-1

24.0+dfsg-2

24.1+dfsg-1

24.1.1+dfsg-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:13 / python-pip

Package

Name: python-pip
Purl: pkg:deb/debian/python-pip?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

23.*

23.0.1+dfsg-1

23.1.2+dfsg-1

23.1.2+dfsg-2

23.2+dfsg-1

23.2.1+dfsg-1

23.3+dfsg-1

24.*

24.0+dfsg-1

24.0+dfsg-2

24.1+dfsg-1

24.1.1+dfsg-1

Ecosystem specific

{
    "urgency": "unimportant"
}