Vulnerability found in pip version 24.0
Vulnerability ID: 67599
Affected spec: >=0
ADVISORY: DISPUTED An issue was discovered in pip (all
versions) because it installs the version with the highest version number,
even if the user had intended to obtain a private package from a private
index. This only affects use of the --extra-index-url option, and
exploitation requires that the package does not already exist in the
public index (and thus the attacker can put the package there with an
arbitrary version number). NOTE: it has been reported that this is
intended functionality and the user is responsible for using --extra-
index-url securely.
CVE-2018-20225
For more information about this vulnerability, visit
https://data.safetycli.com/v/67599/97c
To ignore this vulnerability, use PyUp vulnerability id 67599 in safety’s
ignore command-line argument or add the ignore to your safety policy file.
Named module fails with following report:
+==============================================================================+ REMEDIATIONS
1 vulnerability was reported in 1 package. For detailed remediation & fix recommendations, upgrade to a commercial license.
+==============================================================================+
Scan was completed. 1 vulnerability was reported.
+==============================================================================+