CVE-2018-20225

Advisory

An issue was discovered in Pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). A warning was added about this behavior in version 21.1.
NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://pip.pypa.io/en/stable/news/
• https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html
• https://lists.apache.org/thread.html/rb1adce798445facd032870d644eb39c4baaf9c4a7dd5477d12bb6ab2@%3Cgithub.arrow.apache.org%3E
• https://bugzilla.redhat.com/show_bug.cgi?id=1835736
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20225
• https://github.com/pypa/pip/pull/9647