ByteOS Network

CVE Vulnerability Details :

CVE-2018-20225

PUBLISHED

More Info Official Page

Assigner-mitre

Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca

Published At-08 May, 2020 | 17:29

Updated At-15 Apr, 2026 | 20:50

▼CVE Numbering Authority (CNA)

An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely

Affected Products

Vendor

n/a

Product

n/a

Versions

Affected

Problem Types

Type	CWE ID	Description
text	N/A	n/a

Type: text

CWE ID: N/A

Description: n/a

References

Hyperlink	Resource
https://pip.pypa.io/en/stable/news/	x_refsource_MISC
https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html	x_refsource_MISC
https://lists.apache.org/thread.html/rb1adce798445facd032870d644eb39c4baaf9c4a7dd5477d12bb6ab2%40%3Cgithub.arrow.apache.org%3E	mailing-list x_refsource_MLIST
https://bugzilla.redhat.com/show_bug.cgi?id=1835736	x_refsource_MISC

Hyperlink: https://pip.pypa.io/en/stable/news/

Resource:

x_refsource_MISC

Hyperlink: https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html

Resource:

x_refsource_MISC

Hyperlink: https://lists.apache.org/thread.html/rb1adce798445facd032870d644eb39c4baaf9c4a7dd5477d12bb6ab2%40%3Cgithub.arrow.apache.org%3E

Resource:

mailing-list

x_refsource_MLIST

Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=1835736

Resource:

x_refsource_MISC

▼Authorized Data Publishers (ADP)

1. CVE Program Container

References

Hyperlink	Resource
https://pip.pypa.io/en/stable/news/	x_refsource_MISC x_transferred
https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html	x_refsource_MISC x_transferred
https://lists.apache.org/thread.html/rb1adce798445facd032870d644eb39c4baaf9c4a7dd5477d12bb6ab2%40%3Cgithub.arrow.apache.org%3E	mailing-list x_refsource_MLIST x_transferred
https://bugzilla.redhat.com/show_bug.cgi?id=1835736	x_refsource_MISC x_transferred

Hyperlink: https://pip.pypa.io/en/stable/news/

Resource:

x_refsource_MISC

x_transferred

Hyperlink: https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html

Resource:

x_refsource_MISC

x_transferred

Hyperlink: https://lists.apache.org/thread.html/rb1adce798445facd032870d644eb39c4baaf9c4a7dd5477d12bb6ab2%40%3Cgithub.arrow.apache.org%3E

Resource:

mailing-list

x_refsource_MLIST

x_transferred

Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=1835736

Resource:

x_refsource_MISC

x_transferred

2. CISA ADP Vulnrichment

Problem Types

Type	CWE ID	Description
CWE	CWE-20	CWE-20 Improper Input Validation

Type: CWE

CWE ID: CWE-20

Description: CWE-20 Improper Input Validation

Metrics

Version	Base score	Base severity	Vector
3.1	7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Version: 3.1

Base score: 7.8

Base severity: HIGH

Vector:

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References