CVE-2018-20225
Published: 8 May 2020
** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.
Notes
| Author | Note |
|---|---|
| mdeslaur | This works as per the documentation, and this CVE has been disputed as being a security issue. There is no fix for this issue available fom pip developers. We will not be fixing this issue in Ubuntu. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
python-pip Launchpad, Ubuntu, Debian |
bionic |
Ignored
|
| eoan |
Ignored
(end of life)
|
|
| focal |
Ignored
|
|
| trusty |
Ignored
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.8 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |