Pip vulnerability

ubububu · July 13, 2023, 2:49pm

Hi,

CVE-2018-20225 supposedly applies to all pip versions since 2018. I could not find any official stand on this, whether it’s treated as an active vulnerability, or a feature.

Would anybody share a link to an authoritative statement about CVE-2018-20225?

Thank you in advance! Take care!

Rosuav · July 13, 2023, 2:59pm

Courtesy context link: NVD - CVE-2018-20225

barry-scott · July 13, 2023, 3:23pm

The cve says that the issue is disputed.
It also says what you have to do to be affected.
What is your specific concern?

fungi · July 13, 2023, 4:38pm

Keep in mind that pretty much anyone can request a CVE ID assignment
for just about any behavior they want to argue is unwanted. There is
very little justification required by MITRE, and some CNAs may even
assign CVEs with no required justification at all.

In case it’s not clear (this is an oft repeated mantra in places
like the oss-security mailing list but less so here on DPO), the
existence of a CVE does not necessarily imply the existence of a
security flaw.

As for this specific CVE, you may want to check out PEP 708
“Extending the Repository API to Mitigate Dependency Confusion
Attacks” along with the related discussions here on DPO.

ubububu · July 14, 2023, 8:30am

Thank you guys.

So is fact that the cve is not resolved since 2018 due to python community not taking it as a real vulnerability?

My problem with that is somewhere pip gets tagged by some cyber tool with this CVE and it’s blocked as vulnerable code…

Rosuav · July 14, 2023, 8:44am

The issue you referenced can ONLY be a problem if:

You use a private package repository
You also use the main upstream repository
You install something from your private repository
An attacker knows the package name you’re using, and uploads a higher-numbered version of the same package to the upstream repo.

Are you using a private repository? If not, ignore the issue, it can’t apply to you.

barry-scott · July 14, 2023, 9:22am

Just using pip is a security issue.
In a production environment you cannot risk running code downloaded by pip being malicious.

Where i work we get the source code, review it, package it ourselves and only use our copy.

fungi · July 14, 2023, 11:52am

Any security scanner which blindly assumes all CVEs represent an
exploitable condition in your environment is fundamentally flawed.
Consider looking for scanners which take a more direct approach to
checking systems security, or at least see if the one you’re using
allows you to adjust the list of tests to those which are relevant
to your environment.

The underlying problem is, like with many things in this industry,
to properly evaluate the security of your systems you need both a
strong understanding of those systems and the potential
vulnerabilities. As long as you treat it like an inscrutable black
box, you won’t have useful results from any of this class of tools.