CVE-2018-20225: Input Validation
First published: Fri May 08 2020(Updated: )
** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pypa pip |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1835736
- https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html
- https://lists.apache.org/thread.html/rb1adce798445facd032870d644eb39c4baaf9c4a7dd5477d12bb6ab2@%3Cgithub.arrow.apache.org%3E
- https://pip.pypa.io/en/stable/news/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1835737
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1835742
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1835736#c2
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1835736#c8
- https://pypi.org/simple
- https://pip.pypa.io/en/stable/reference/pip_install/#install-index-url
- https://twiki.cern.ch/twiki/bin/view/LHCb/PythonPyPIServer
- https://pip.pypa.io/en/stable/reference/pip/#trusted-host
- https://access.redhat.com/security/cve/cve-2018-20225
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1835736#c7
- https://www.google.com/search?ei=i43NXvXCGMrA0PEPzKO3kAg&q=%22pip+install+--extra-index-url%22&oq=%22pip+install+--extra-index-url%22&gs_lcp=CgZwc3ktYWIQAzoECAAQR1DADFiHKmDcLWgAcAF4AIABRogBiwGSAQEymAEAoAEBqgEHZ3dzLXdpeg&sclient=psy-ab&ved=0ahUKEwi1tLHov9LpAhVKIDQIHczRDYIQ4dUDCAw&uact=5
- https://pypi.org/project/cngi-prototype/0.0.22/
- https://casa-pip.nrao.edu/repository/pypi-group/simple
- https://pypi.org/project/casatools/99999.9.9/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1835736#c20
- https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
- https://lists.apache.org/thread.html/rb1adce798445facd032870d644eb39c4baaf9c4a7dd5477d12bb6ab2%40%3Cgithub.arrow.apache.org%3E
Frequently Asked Questions
What is CVE-2018-20225?
CVE-2018-20225 is an issue in pip (all versions) where it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index.
How does CVE-2018-20225 affect me?
If you use pip with the --extra-index-url option to install packages from private indexes, this vulnerability may allow the installation of unintended packages from public indexes.
What is the severity of CVE-2018-20225?
The severity of CVE-2018-20225 is high with a CVSS score of 7.8.
How can I mitigate the risk of CVE-2018-20225?
To mitigate the risk, avoid using the --extra-index-url option, or only use trusted private indexes.
Where can I find more information about CVE-2018-20225?
You can find more information about CVE-2018-20225 in the references: [1], [2], [3].
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-20225
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/status
- agent/description
- agent/event
- agent/last-modified-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/tags
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- vendor/pypa
- canonical/pypa pip
- status/disputed