CVE-2018-20225
CVE Details
Visit the official vulnerability details page for CVE-2018-20225 to learn more.
Initial Publication
11/10/2024
Last Update
12/16/2024
Third Party Dependency
py3-pip
NIST CVE Summary
An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely
CVE Severity
Our Official Summary
This flaw was found in the python-pip component and only affects the --extra-index-url option. Exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). Risk of exploitation is low for our products as this CVE is reported on a backend container. Attacker must gain privileged access to the container and run pip on the container to be able to exploit this.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.5.15 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.11 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.10 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.8 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
Revision History
| Date | Revision |
|---|---|
| 12/16/2024 | Impacted versions changed from 4.5.8, 4.5.10, 4.5.11 to 4.5.8, 4.5.10, 4.5.11, 4.5.15 |
| 11/15/2024 | Impacted versions changed from 4.5.8, 4.5.10 to 4.5.8, 4.5.10, 4.5.11 |
| 11/15/2024 | Impacted versions changed from 4.5.8 to 4.5.8, 4.5.10 |