Vulnerable Library - pip-23.1.2-pyhd8ed1ab_0.conda
PyPA recommended tool for installing Python packages
Library home page: https://api.anaconda.org/download/conda-forge/pip/23.1.2/noarch/pip-23.1.2-pyhd8ed1ab_0.conda
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda,/home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2018-20225
Vulnerable Library - pip-23.1.2-pyhd8ed1ab_0.conda
PyPA recommended tool for installing Python packages
Library home page: https://api.anaconda.org/download/conda-forge/pip/23.1.2/noarch/pip-23.1.2-pyhd8ed1ab_0.conda
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda,/home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda
Dependency Hierarchy:
- ❌ pip-23.1.2-pyhd8ed1ab_0.conda (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2020-05-08
URL: CVE-2018-20225
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend here
CVE-2026-1703
Vulnerable Library - pip-23.1.2-pyhd8ed1ab_0.conda
PyPA recommended tool for installing Python packages
Library home page: https://api.anaconda.org/download/conda-forge/pip/23.1.2/noarch/pip-23.1.2-pyhd8ed1ab_0.conda
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda,/home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda
Dependency Hierarchy:
- ❌ pip-23.1.2-pyhd8ed1ab_0.conda (Vulnerable Library)
Found in base branch: main
Vulnerability Details
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.
Publish Date: 2026-02-02
URL: CVE-2026-1703
CVSS 3 Score Details (3.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-02
Fix Resolution: https://github.com/pypa/pip.git - 26.0,pip - 26.0
Step up your Open Source Security Game with Mend here
PyPA recommended tool for installing Python packages
Library home page: https://api.anaconda.org/download/conda-forge/pip/23.1.2/noarch/pip-23.1.2-pyhd8ed1ab_0.conda
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda,/home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - pip-23.1.2-pyhd8ed1ab_0.conda
PyPA recommended tool for installing Python packages
Library home page: https://api.anaconda.org/download/conda-forge/pip/23.1.2/noarch/pip-23.1.2-pyhd8ed1ab_0.conda
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda,/home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2020-05-08
URL: CVE-2018-20225
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here
Vulnerable Library - pip-23.1.2-pyhd8ed1ab_0.conda
PyPA recommended tool for installing Python packages
Library home page: https://api.anaconda.org/download/conda-forge/pip/23.1.2/noarch/pip-23.1.2-pyhd8ed1ab_0.conda
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda,/home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.
Publish Date: 2026-02-02
URL: CVE-2026-1703
CVSS 3 Score Details (3.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-02-02
Fix Resolution: https://github.com/pypa/pip.git - 26.0,pip - 26.0
Step up your Open Source Security Game with Mend here