Pip vulnerability


CVE-2018-20225 supposedly applies to all pip versions since 2018. I could not find any official stand on this, whether it’s treated as an active vulnerability, or a feature.

Would anybody share a link to an authoritative statement about CVE-2018-20225?

Thank you in advance! Take care!

Courtesy context link: NVD - CVE-2018-20225

The cve says that the issue is disputed.
It also says what you have to do to be affected.
What is your specific concern?

Keep in mind that pretty much anyone can request a CVE ID assignment
for just about any behavior they want to argue is unwanted. There is
very little justification required by MITRE, and some CNAs may even
assign CVEs with no required justification at all.

In case it’s not clear (this is an oft repeated mantra in places
like the oss-security mailing list but less so here on DPO), the
existence of a CVE does not necessarily imply the existence of a
security flaw.

As for this specific CVE, you may want to check out PEP 708
“Extending the Repository API to Mitigate Dependency Confusion
Attacks” along with the related discussions here on DPO.

Thank you guys.

So is fact that the cve is not resolved since 2018 due to python community not taking it as a real vulnerability?

My problem with that is somewhere pip gets tagged by some cyber tool with this CVE and it’s blocked as vulnerable code…

The issue you referenced can ONLY be a problem if:

  1. You use a private package repository
  2. You also use the main upstream repository
  3. You install something from your private repository
  4. An attacker knows the package name you’re using, and uploads a higher-numbered version of the same package to the upstream repo.

Are you using a private repository? If not, ignore the issue, it can’t apply to you.

Just using pip is a security issue.
In a production environment you cannot risk running code downloaded by pip being malicious.

Where i work we get the source code, review it, package it ourselves and only use our copy.

Any security scanner which blindly assumes all CVEs represent an
exploitable condition in your environment is fundamentally flawed.
Consider looking for scanners which take a more direct approach to
checking systems security, or at least see if the one you’re using
allows you to adjust the list of tests to those which are relevant
to your environment.

The underlying problem is, like with many things in this industry,
to properly evaluate the security of your systems you need both a
strong understanding of those systems and the potential
vulnerabilities. As long as you treat it like an inscrutable black
box, you won’t have useful results from any of this class of tools.