Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ubuntucveUbuntu.comUB:CVE-2018-20225
HistoryMay 08, 2020 - 12:00 a.m.

CVE-2018-20225

2020-05-0800:00:00
ubuntu.com
ubuntu.com
16

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

44.9%

JSON

DISPUTED An issue was discovered in pip (all versions) because it
installs the version with the highest version number, even if the user had
intended to obtain a private package from a private index. This only
affects use of the --extra-index-url option, and exploitation requires that
the package does not already exist in the public index (and thus the
attacker can put the package there with an arbitrary version number). NOTE:
it has been reported that this is intended functionality and the user is
responsible for using --extra-index-url securely.

Notes

Author Note
mdeslaur This works as per the documentation, and this CVE has been disputed as being a security issue. There is no fix for this issue available fom pip developers. We will not be fixing this issue in Ubuntu.

Related

nvd 1
redhatcve 1
openvas 2
nessus 7
ibm 3
cve 1
cbl_mariner 1
osv 1
cvelist 1
prion 1
debiancve 1
oracle 1
nvd
nvd
CVE-2018-20225
2020-05-08 18:15:10
redhatcve
redhatcve
CVE-2018-20225
2020-05-14 12:40:05
openvas
openvas
Huawei EulerOS: Security Advisory for python-pip (EulerOS-SA-2021-1745)
2021-04-13 00:00:00
Huawei EulerOS: Security Advisory for python-pip (EulerOS-SA-2021-1728)
2021-04-13 00:00:00
nessus
nessus
EulerOS Virtualization 2.9.1 : python-pip (EulerOS-SA-2021-1728)
2021-04-15 00:00:00
RHEL 8 : python-pip (Unpatched Vulnerability)
2024-05-11 00:00:00
EulerOS Virtualization 2.9.0 : python-pip (EulerOS-SA-2021-1745)
2021-04-15 00:00:00
ibm
ibm
Security Bulletin: WML CE: pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index
2020-07-17 16:48:37
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Python
2020-06-19 05:08:48
Security Bulletin: Pip as used by IBM QRadar Advisor With Watson is vulnerable to multiple vulnerabilities (CVE-2019-20916, CVE-2021-3572, CVE-2018-20225)
2022-06-15 19:07:37
cve
cve
CVE-2018-20225
2020-05-08 18:15:10
cbl_mariner
cbl_mariner
CVE-2018-20225 affecting package python-pip 19.2-2
2024-07-03 03:08:34
osv
osv
CGA-qc45-xwrj-86w8
2024-06-20 16:19:15
cvelist
cvelist
CVE-2018-20225
2020-05-08 17:29:12
prion
prion
Denial of service
2020-05-08 18:15:00
debiancve
debiancve
CVE-2018-20225
2020-05-08 18:15:10
oracle
oracle
Oracle Critical Patch Update Advisory - April 2023
2023-04-18 00:00:00

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

44.9%

JSON
Related for UB:CVE-2018-20225
nvd1redhatcve1openvas2nessus7ibm3cve1cbl_mariner1osv1cvelist1prion1debiancve1oracle1