An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely

...

DEBIAN-CVE-2020-36327

Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that...

Bundler 安全漏洞

Bundler is a software application. It provides a consistent environment for Ruby projects by tracking and installing the exact gem and version required. A security vulnerability exists in Bundler versions 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16, which stems from the fact that dependency...

CVE-2018-20225

An issue was discovered in pip all versions because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not...

PT-2020-8665 · Pip +1 · Pip +1

Name of the Vulnerable Software and Affected Versions: pip all versions Description: An issue was discovered in pip because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the...