CVE-2018-20225 — Vulnetix

Try Vulnetix Request Demo

CVE-2018-20225 PUBLISHED

An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely

EPSS 1.71% · 82.2th percentile

Risk Scores

EPSS Score

1.71%

82.2th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:Pro:18.04:LTS	python-pip	9.0.1-2.3~ubuntu1.18.04.6, 9.0.1-2.3~ubuntu1.18.04.5+esm3, 9.0.1-2.3~ubuntu1.18.04.5+esm2
Ubuntu:Pro:14.04:LTS	python-pip	0, 1.4.1-2, 1.5.4-1
Ubuntu:Pro:16.04:LTS	python-pip	8.1.1-2ubuntu0.6+esm11, 8.1.1-2ubuntu0.6+esm12, 8.1.1-2ubuntu0.6+esm10
Ubuntu:Pro:20.04:LTS	python-pip	0, 18.1-5, 18.1-5build1

Timeline

May 8, 2020 CVE Published
Apr 14, 2021 EPSS Score
Aug 26, 2024 CVE Updated
Mar 17, 2025 EPSS Score
Mar 20, 2025 EPSS Score
Mar 23, 2025 EPSS Score
Mar 24, 2025 EPSS Score
Mar 26, 2025 EPSS Score
Mar 29, 2025 EPSS Score
Mar 31, 2025 EPSS Score
May 1, 2025 EPSS Score
Jun 1, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2018-20225 third-party-advisory
https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html third-party-advisory
https://pip.pypa.io/en/stable/news/ third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2018-20225 third-party-advisory
Multiples vulnérabilités dans les produits IBM advisory

Open in Interactive Console →