Pip · Pip · CVE-2018-20225
Name of the Vulnerable Software and Affected Versions:
pip (all versions)
Description:
An issue was discovered in pip because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the `--extra-index-url` option, and exploitation requires that the package does not already exist in the public index, allowing an attacker to put the package there with an arbitrary version number. It has been reported that this is intended functionality and the user is responsible for using `--extra-index-url` securely.
Recommendations:
As a temporary workaround, consider using the `--extra-index-url` option securely to minimize the risk of exploitation.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.