漏洞标题
N/A
漏洞描述信息
**争议** 在pip(所有版本)中发现一个问题,因为它会安装最高版本编号的版本,即使用户原本想从私人索引中获取私人软件包。这只影响到使用--extra-index-url选项,而利用则需要该软件包在公共索引中尚未存在(因此攻击者可以在那里放置一个任意版本编号的软件包)。注意:据报道这是预期的功能,用户有责任安全地使用--extra-index-url选项。
CVSS信息
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Pip 输入验证错误漏洞
漏洞描述信息
Pip是一套用于安装和管理Python软件包的工具。 Pip(所有版本)中的--extra-index-url选项存在输入验证错误漏洞。攻击者可借助特制请求利用该漏洞在系统上执行任意代码。
CVSS信息
N/A
漏洞类别
输入验证错误