REDHAT-BUG-1835736
First published: Thu May 14 2020(Updated: )
A vulnerability was discovered in pip (all versions), because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number).
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip | <=9999.9999.9999 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1835737
- https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1835742
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1835736#c2
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1835736#c8
- https://pypi.org/simple
- https://pip.pypa.io/en/stable/reference/pip_install/#install-index-url
- https://twiki.cern.ch/twiki/bin/view/LHCb/PythonPyPIServer
- https://pip.pypa.io/en/stable/reference/pip/#trusted-host
- https://access.redhat.com/security/cve/cve-2018-20225
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1835736#c7
- https://www.google.com/search?ei=i43NXvXCGMrA0PEPzKO3kAg&q=%22pip+install+--extra-index-url%22&oq=%22pip+install+--extra-index-url%22&gs_lcp=CgZwc3ktYWIQAzoECAAQR1DADFiHKmDcLWgAcAF4AIABRogBiwGSAQEymAEAoAEBqgEHZ3dzLXdpeg&sclient=psy-ab&ved=0ahUKEwi1tLHov9LpAhVKIDQIHczRDYIQ4dUDCAw&uact=5
- https://pypi.org/project/cngi-prototype/0.0.22/
- https://casa-pip.nrao.edu/repository/pypi-group/simple
- https://pypi.org/project/casatools/99999.9.9/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1835736#c20
- https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
- https://bugzilla.redhat.com/show_bug.cgi?id=1835736
Frequently Asked Questions
What is the vulnerability in REDHAT-BUG-1835736?
The vulnerability in REDHAT-BUG-1835736 occurs when pip installs the highest version number of a package instead of fetching from the intended private index when the --extra-index-url option is used.
What is the potential impact of the REDHAT-BUG-1835736 vulnerability?
The exploitation of the REDHAT-BUG-1835736 vulnerability can lead to arbitrary code execution by installing malicious packages.
How can I mitigate the REDHAT-BUG-1835736 vulnerability?
To mitigate the REDHAT-BUG-1835736 vulnerability, avoid using the --extra-index-url option or implement version pinning in your package requirements.
Which versions of pip are affected by REDHAT-BUG-1835736?
All versions of pip are affected by the vulnerability described in REDHAT-BUG-1835736.
Is there an update available for REDHAT-BUG-1835736?
Check your package manager or the official pip repository for updates that address the vulnerability in REDHAT-BUG-1835736.
- agent/references
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-20225
- agent/severity
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/python
- canonical/pip