CVE-2018-20225 - OpenCVE

An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Pypa	Pip

Configuration 1 [-]

cpe:2.3:a:pypa:pip:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=1835736
https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html
https://lists.apache.org/thread.html/rb1adce798445facd032870d644eb39c4baaf9c4a7dd5477d12bb6ab2%40%3Cgithub.arrow.apache.org%3E
https://nvd.nist.gov/vuln/detail/CVE-2018-20225
https://pip.pypa.io/en/stable/news/
https://www.cve.org/CVERecord?id=CVE-2018-20225

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-05-08T17:29:12

Updated: 2024-08-05T11:58:18.416Z

Reserved: 2018-12-19T00:00:00

Link: CVE-2018-20225

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-05-08T18:15:10.377

Modified: 2024-08-05T12:15:29.653

Link: CVE-2018-20225

Redhat

Severity : Low

Publid Date: 2020-04-28T00:00:00Z

Links: CVE-2018-20225 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-06-01T16:05:34", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://pip.pypa.io/en/stable/news/"}, {"tags": ["x_refsource_MISC"], "url": "https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html"}, {"name": "[arrow-github] 20200527 [GitHub] [arrow] BinduAggarwal opened a new pull request #7294: upgrading pip/wheel/setuptools", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rb1adce798445facd032870d644eb39c4baaf9c4a7dd5477d12bb6ab2%40%3Cgithub.arrow.apache.org%3E"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1835736"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-20225", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://pip.pypa.io/en/stable/news/", "refsource": "MISC", "url": "https://pip.pypa.io/en/stable/news/"}, {"name": "https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html", "refsource": "MISC", "url": "https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html"}, {"name": "[arrow-github] 20200527 [GitHub] [arrow] BinduAggarwal opened a new pull request #7294: upgrading pip/wheel/setuptools", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb1adce798445facd032870d644eb39c4baaf9c4a7dd5477d12bb6ab2@%3Cgithub.arrow.apache.org%3E"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1835736", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1835736"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T11:58:18.416Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://pip.pypa.io/en/stable/news/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html"}, {"name": "[arrow-github] 20200527 [GitHub] [arrow] BinduAggarwal opened a new pull request #7294: upgrading pip/wheel/setuptools", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rb1adce798445facd032870d644eb39c4baaf9c4a7dd5477d12bb6ab2%40%3Cgithub.arrow.apache.org%3E"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1835736"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-20225", "datePublished": "2020-05-08T17:29:12", "dateReserved": "2018-12-19T00:00:00", "dateUpdated": "2024-08-05T11:58:18.416Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pypa:pip:*:*:*:*:*:*:*:*", "matchCriteriaId": "18E919ED-27F7-406C-9BC7-6C85F69FD182", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely"}, {"lang": "es", "value": "** EN DISPUTA ** Se detect\u00f3 un problema en pip (todas las versiones) porque instala la versi\u00f3n con el n\u00famero de versi\u00f3n m\u00e1s alto, incluso si el usuario ten\u00eda la intenci\u00f3n de obtener un paquete privado desde un \u00edndice privado. Esto solo afecta el uso de la opci\u00f3n --extra-index-url, y una explotaci\u00f3n requiere que el paquete a\u00fan no exista en el \u00edndice p\u00fablico (y, por lo tanto, el atacante puede colocar el paquete all\u00ed con un n\u00famero de versi\u00f3n arbitrario). NOTA: se ha informado que esta es la funcionalidad prevista y el usuario es responsable de usar --extra-index-url de forma segura."}], "id": "CVE-2018-20225", "lastModified": "2024-08-05T12:15:29.653", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-05-08T18:15:10.377", "references": [{"source": "cve@mitre.org", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1835736"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html"}, {"source": "cve@mitre.org", "url": "https://lists.apache.org/thread.html/rb1adce798445facd032870d644eb39c4baaf9c4a7dd5477d12bb6ab2%40%3Cgithub.arrow.apache.org%3E"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://pip.pypa.io/en/stable/news/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "python-pip: when --extra-index-url option is used and package does not already exist in the public index, the installation of malicious package with arbitrary version number is possible.", "id": "1835736", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1835736"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-348", "details": ["An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely", "A flaw was found in python-pip. The software installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number)."], "mitigation": {"lang": "en:us", "value": "To protect from any unintended behavior, use --index-url and do not use --extra-index-url OR explicitly set --index-url and use --extra-index-url."}, "name": "CVE-2018-20225", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "python-pip", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "python-pip", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Will not fix", "package_name": "python27-python-pip", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "python27-python-pip", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-python36-python-pip", "product_name": "Red Hat Software Collections"}], "public_date": "2020-04-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-20225\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-20225\nhttps://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html"], "statement": "Although this issue affects versions of pip shipped with Red Hat Enterprise Linux, Red Hat Software Collections and Red Hat CodeReady Workspaces, Red Hat Product Security does not consider this to be a security vulnerability because per the pip documentation, this is intended behavior of pip when using the --extra-index-url flag. Therefore, this issue has been marked WONTFIX.", "threat_severity": "Low"}