VDB

CVE-2018-20225

CVE-2018-20225 PUBLISHED

An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely

EPSS 3.73% · 88.2th percentile

Risk Scores

EPSS Score
3.73%
88.2th percentile

Affected Products

VendorProductVersions
Ubuntu:Pro:18.04:LTSpython-pip*, 9.0.1-2.3~ubuntu1.18.04.8, 9.0.1-2.3~ubuntu1.18.04.8+esm1
Ubuntu:Pro:14.04:LTSpython-pip1.4.1-2, 1.5.4-1, 1.5.4-1ubuntu1
Ubuntu:Pro:16.04:LTSpython-pip*, 0, 1.5.6-7ubuntu1
Ubuntu:Pro:20.04:LTSpython-pip18.1-5, 18.1-5build1, 20.0.2-2

Exploit Intelligence

…and 9 more exploits

Timeline

  • May 8, 2020 CVE Published
  • Apr 14, 2021 EPSS Score
  • Aug 26, 2024 CVE Updated
  • Mar 17, 2025 EPSS Score
  • Mar 20, 2025 EPSS Score
  • Mar 23, 2025 EPSS Score
  • Mar 24, 2025 EPSS Score
  • Mar 26, 2025 EPSS Score
  • Mar 29, 2025 EPSS Score
  • Mar 31, 2025 EPSS Score
  • May 1, 2025 EPSS Score
  • Jun 1, 2025 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›