An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-05-08T17:29:12

Updated: 2024-08-05T11:58:18.416Z

Reserved: 2018-12-19T00:00:00

Link: CVE-2018-20225

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2020-05-08T18:15:10.377

Modified: 2024-11-21T04:01:07.017

Link: CVE-2018-20225

cve-icon Redhat

Severity : Low

Publid Date: 2020-04-28T00:00:00Z

Links: CVE-2018-20225 - Bugzilla