Issue: Facing CVE-2018-20225 in Python 3.11.9-alpine3.19 Docker Image

[akmatoliya]

We've identified a vulnerability within our Docker image that poses a security risk. CVE-2018-20225 has been detected, indicating a potential threat to our system's integrity. This CVE could allow attackers to execute arbitrary code or conduct denial-of-service attacks. Impact:

• Unauthorized access to sensitive data.
• Potential execution of arbitrary code.
• Risk of denial-of-service attacks.

Could you please provide an estimated timeline for fixing this issue? Additionally, any guidance on how to address this vulnerability effectively would be highly appreciated.? We would like to ensure that our system remains secure and up-to-date.

Thank you.

[yosifkit]

https://security.alpinelinux.org/vuln/CVE-2018-20225:

NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely

https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html

I disclosed this to the security@python.org list. Unfortunately they said there is currently no path to fix this.

So, this CVE is basically "working as designed" and "WONTFIX" even in upstream python/pip.

[tianon]

This CVE could allow attackers to execute arbitrary code or conduct denial-of-service attacks.

Again, as in #919, I'm going to need some more citation to back up this claim. The only plausible attack I can come up with is a name collision on the public PyPI index with some company-internal package, and that being installed instead of the company-internal version, and that public package on PyPI being malicious. That is an astoundingly small window of opportunity, and would very likely be a targeted attack.