UBUNTU-CVE-2018-20225

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2018-20225

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-20225.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2018-20225

Related

CVE-2018-20225

Published

2020-05-08T18:15:00Z

Modified

2025-01-13T10:21:50Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

* DISPUTED * An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.

References

Affected packages

Ubuntu:Pro:14.04:LTS / python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip@1.5.4-1ubuntu4+esm5?arch=source&distro=esm-infra-legacy/trusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.4.1-2

1.5.4-1

1.5.4-1ubuntu1

1.5.4-1ubuntu3

1.5.4-1ubuntu4

1.5.4-1ubuntu4+esm1

1.5.4-1ubuntu4+esm2

1.5.4-1ubuntu4+esm3

1.5.4-1ubuntu4+esm4

1.5.4-1ubuntu4+esm5

Ecosystem specific

{
    "ubuntu_priority": "negligible"
}

Ubuntu:Pro:16.04:LTS / python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip@8.1.1-2ubuntu0.6+esm10?arch=source&distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.5.6-7ubuntu1

1.5.6-7ubuntu2

8.*

8.0.2-7

8.0.3-1

8.0.3-2

8.1.0-1

8.1.0-2

8.1.1-1

8.1.1-2

8.1.1-2ubuntu0.1

8.1.1-2ubuntu0.2

8.1.1-2ubuntu0.4

8.1.1-2ubuntu0.6

8.1.1-2ubuntu0.6+esm2

8.1.1-2ubuntu0.6+esm3

8.1.1-2ubuntu0.6+esm4

8.1.1-2ubuntu0.6+esm5

8.1.1-2ubuntu0.6+esm6

8.1.1-2ubuntu0.6+esm8

8.1.1-2ubuntu0.6+esm10

Ecosystem specific

{
    "ubuntu_priority": "negligible"
}

Ubuntu:Pro:18.04:LTS / python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip@9.0.1-2.3~ubuntu1.18.04.8+esm6?arch=source&distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.0.1-2

9.0.1-2.3~ubuntu1

9.0.1-2.3~ubuntu1.18.04.1

9.0.1-2.3~ubuntu1.18.04.2

9.0.1-2.3~ubuntu1.18.04.3

9.0.1-2.3~ubuntu1.18.04.4

9.0.1-2.3~ubuntu1.18.04.5

9.0.1-2.3~ubuntu1.18.04.5+esm2

9.0.1-2.3~ubuntu1.18.04.5+esm3

9.0.1-2.3~ubuntu1.18.04.6

9.0.1-2.3~ubuntu1.18.04.6+esm1

9.0.1-2.3~ubuntu1.18.04.7

9.0.1-2.3~ubuntu1.18.04.7+esm1

9.0.1-2.3~ubuntu1.18.04.8

9.0.1-2.3~ubuntu1.18.04.8+esm1

9.0.1-2.3~ubuntu1.18.04.8+esm2

9.0.1-2.3~ubuntu1.18.04.8+esm4

9.0.1-2.3~ubuntu1.18.04.8+esm6

Ecosystem specific

{
    "ubuntu_priority": "negligible"
}

Ubuntu:20.04:LTS / python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip@20.0.2-5ubuntu1.11?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

18.*

18.1-5

18.1-5build1

18.1-5ubuntu1

20.*

20.0.2-2

20.0.2-4

20.0.2-5

20.0.2-5ubuntu1

20.0.2-5ubuntu1.1

20.0.2-5ubuntu1.3

20.0.2-5ubuntu1.4

20.0.2-5ubuntu1.5

20.0.2-5ubuntu1.6

20.0.2-5ubuntu1.7

20.0.2-5ubuntu1.8

20.0.2-5ubuntu1.9

20.0.2-5ubuntu1.10

20.0.2-5ubuntu1.11

Ecosystem specific

{
    "ubuntu_priority": "negligible"
}