CVE-2018-20225
Publication date 8 May 2020
Last updated 24 July 2024
Ubuntu priority
** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python-pip | 20.04 LTS focal | Ignored |
| 18.04 LTS bionic | Ignored | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored |
Notes
mdeslaur
This works as per the documentation, and this CVE has been disputed as being a security issue. There is no fix for this issue available fom pip developers. We will not be fixing this issue in Ubuntu.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.8 · High
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |