PyPI: pip
CVE-2018-20225
Safety vulnerability ID: SFTY-20200508-12907
Safety legacy ID: pyup.io-67599
An issue was discovered in Pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). A warning was added about this behavior in version 21.1. NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.
Overview
An issue was discovered in Pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). A warning was added about this behavior in version 21.1. NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.
Advisory
An issue was discovered in Pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). A warning was added about this behavior in version 21.1. NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20200508-12907/CVE-2018-20225
- https://bugzilla.redhat.com/show_bug.cgi?id=1835736
- https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20225
- https://github.com/pypa/pip/pull/9647
- https://lists.apache.org/thread.html/rb1adce798445facd032870d644eb39c4baaf9c4a7dd5477d12bb6ab2@%3Cgithub.arrow.apache.org%3E
- https://pip.pypa.io/en/stable/news/
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more