Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue CVE-2018-20225 raised for PIP #12874

Closed
1 task done
shripad-bhat opened this issue Jul 24, 2024 · 1 comment
Closed
1 task done

Security issue CVE-2018-20225 raised for PIP #12874

shripad-bhat opened this issue Jul 24, 2024 · 1 comment
Labels
resolution: duplicate Duplicate of an existing issue/PR type: security Has potential security implications

Comments

@shripad-bhat
Copy link

Description

An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. This vulnerability was first assigned with CVE-2018-20225, but it is still under dispute. However, this vulnerability still poses a threat when using the --extra-index-url.

Expected behavior

No response

pip version

24.1.2

Python version

3.11.18

OS

Redhat

How to Reproduce

NA

Output

No response

Code of Conduct
@shripad-bhat shripad-bhat added S: needs triage Issues/PRs that need to be triaged type: bug A confirmed bug or unintended behavior labels Jul 24, 2024
@notatallshaw notatallshaw added type: security Has potential security implications resolution: duplicate Duplicate of an existing issue/PR and removed type: bug A confirmed bug or unintended behavior S: needs triage Issues/PRs that need to be triaged labels Jul 24, 2024
@notatallshaw
Copy link
Member

notatallshaw commented Jul 24, 2024
edited
Loading

Thanks for your report, this CVE has been reported previously in #9612, which was folded into the discussion in #8606.

In general, there are always choices users need to make with security vs. flexibility trade offs. Choices a user could make to help mitigate this kind of attack vector are:

  • Do not use any index you do not control
  • Expose only which packages you want to publicly access via a private mirror/proxy
  • Resolve and review all your packages ahead of installing, using a mechanism like a lock file (available using tools like pip-tools, uv, pdm, rye, poetry, etc. [and somewhat possible using pip's report feature] you should also review what packages you allow as sdists vs. wheels when resolving)
  • Switch to a tool (uv, pdm, poetry, etc.) which allows index prioritisation (you will need to review the specific behaviour the tool has implemented)

@notatallshaw notatallshaw closed this as not planned Won't fix, can't repro, duplicate, stale Jul 24, 2024
@notatallshaw notatallshaw mentioned this issue Aug 13, 2024
Closed
1 task
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 24, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
resolution: duplicate Duplicate of an existing issue/PR type: security Has potential security implications
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@notatallshaw @shripad-bhat