CVE-2018-20225
CVE Details
Visit the official vulnerability details page for CVE-2018-20225 to learn more.
Initial Publication
11/10/2024
Last Update
12/16/2024
Third Party Dependency
py3-pip
NIST CVE Summary
An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely
CVE Severity
Our Official Summary
This flaw was found in the python-pip component and only affects the --extra-index-url option. Exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). Risk of exploitation is low for our products as this CVE is reported on a backend container. Attacker must gain privileged access to the container and run pip on the container to be able to exploit this.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.5.15 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.11 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.10 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.8 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
Revision History
| Date | Revision |
|---|---|
| 12/16/2024 | Impacted versions changed from 4.5.8, 4.5.10, 4.5.11 to 4.5.8, 4.5.10, 4.5.11, 4.5.15 |
| 12/11/2024 | Official summary revised: This flaw was found in the python-pip component and only affects the --extra-index-url option. Exploitation requiresthat the package does not already exist in the public index (and thus the attacker can put the package there with anarbitrary version number). Risk of exploitation is low for our products as this CVE is reported on a backend container.Attacker must gain privileged access to the container and run pip on the container to be able to exploit this. |
| 12/11/2024 | Official summary revised: A null pointer dereference flaw was found in Libtiff via tif_dirinfo.c. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.The risk of exploitation of this vulnerability for our products is low as these containers canot be modified without privileged access and running arbitrary code. Containers have security controls in place to prevent these actions. We will wait for an upstream fix and then upgrade these components. |
| 11/15/2024 | Impacted versions changed from 4.5.8, 4.5.10 to 4.5.8, 4.5.10, 4.5.11 |
| 11/15/2024 | Impacted versions changed from 4.5.8 to 4.5.8, 4.5.10 |