Vulnerable Library - pip-23.1.2-pyhd8ed1ab_0.conda
PyPA recommended tool for installing Python packages
Library home page: https://api.anaconda.org/download/conda-forge/pip/23.1.2/noarch/pip-23.1.2-pyhd8ed1ab_0.conda
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda,/home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2018-20225
Vulnerable Library - pip-23.1.2-pyhd8ed1ab_0.conda
PyPA recommended tool for installing Python packages
Library home page: https://api.anaconda.org/download/conda-forge/pip/23.1.2/noarch/pip-23.1.2-pyhd8ed1ab_0.conda
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda,/home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda
Dependency Hierarchy:
- ❌ pip-23.1.2-pyhd8ed1ab_0.conda (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2020-05-08
URL: CVE-2018-20225
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend here
CVE-2026-6357
Vulnerable Library - pip-23.1.2-pyhd8ed1ab_0.conda
PyPA recommended tool for installing Python packages
Library home page: https://api.anaconda.org/download/conda-forge/pip/23.1.2/noarch/pip-23.1.2-pyhd8ed1ab_0.conda
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda,/home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda
Dependency Hierarchy:
- ❌ pip-23.1.2-pyhd8ed1ab_0.conda (Vulnerable Library)
Found in base branch: main
Vulnerability Details
pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.
Publish Date: 2026-04-27
URL: CVE-2026-6357
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution: pip - 26.1,pip - 26.1,https://github.com/pypa/pip.git - v26.1
Step up your Open Source Security Game with Mend here
CVE-2023-5752
Vulnerable Library - pip-23.1.2-pyhd8ed1ab_0.conda
PyPA recommended tool for installing Python packages
Library home page: https://api.anaconda.org/download/conda-forge/pip/23.1.2/noarch/pip-23.1.2-pyhd8ed1ab_0.conda
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda,/home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda
Dependency Hierarchy:
- ❌ pip-23.1.2-pyhd8ed1ab_0.conda (Vulnerable Library)
Found in base branch: main
Vulnerability Details
When installing a package from a Mercurial VCS URL (ie "pip install
hg+...") with pip prior to v23.3, the specified Mercurial revision could
be used to inject arbitrary configuration options to the "hg clone"
call (ie "--config"). Controlling the Mercurial configuration can modify
how and which repository is installed. This vulnerability does not
affect users who aren't installing from Mercurial.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-10-24
URL: CVE-2023-5752
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-5752
Release Date: 2023-10-24
Fix Resolution: pip - 23.3
Step up your Open Source Security Game with Mend here
CVE-2026-8643
Vulnerable Library - pip-23.1.2-pyhd8ed1ab_0.conda
PyPA recommended tool for installing Python packages
Library home page: https://api.anaconda.org/download/conda-forge/pip/23.1.2/noarch/pip-23.1.2-pyhd8ed1ab_0.conda
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda,/home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda
Dependency Hierarchy:
- ❌ pip-23.1.2-pyhd8ed1ab_0.conda (Vulnerable Library)
Found in base branch: main
Vulnerability Details
pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.
Publish Date: 2026-06-01
URL: CVE-2026-8643
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-01
Fix Resolution: https://github.com/pypa/pip.git - 26.1.2,pip - 26.1.2,pip - 26.1.2
Step up your Open Source Security Game with Mend here
CVE-2026-1703
Vulnerable Library - pip-23.1.2-pyhd8ed1ab_0.conda
PyPA recommended tool for installing Python packages
Library home page: https://api.anaconda.org/download/conda-forge/pip/23.1.2/noarch/pip-23.1.2-pyhd8ed1ab_0.conda
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda,/home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda
Dependency Hierarchy:
- ❌ pip-23.1.2-pyhd8ed1ab_0.conda (Vulnerable Library)
Found in base branch: main
Vulnerability Details
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.
Publish Date: 2026-02-02
URL: CVE-2026-1703
CVSS 3 Score Details (3.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-02
Fix Resolution: https://github.com/pypa/pip.git - 26.0,pip - 26.0,pip - 26.0
Step up your Open Source Security Game with Mend here
PyPA recommended tool for installing Python packages
Library home page: https://api.anaconda.org/download/conda-forge/pip/23.1.2/noarch/pip-23.1.2-pyhd8ed1ab_0.conda
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda,/home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - pip-23.1.2-pyhd8ed1ab_0.conda
PyPA recommended tool for installing Python packages
Library home page: https://api.anaconda.org/download/conda-forge/pip/23.1.2/noarch/pip-23.1.2-pyhd8ed1ab_0.conda
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda,/home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2020-05-08
URL: CVE-2018-20225
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here
Vulnerable Library - pip-23.1.2-pyhd8ed1ab_0.conda
PyPA recommended tool for installing Python packages
Library home page: https://api.anaconda.org/download/conda-forge/pip/23.1.2/noarch/pip-23.1.2-pyhd8ed1ab_0.conda
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda,/home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.
Publish Date: 2026-04-27
URL: CVE-2026-6357
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution: pip - 26.1,pip - 26.1,https://github.com/pypa/pip.git - v26.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - pip-23.1.2-pyhd8ed1ab_0.conda
PyPA recommended tool for installing Python packages
Library home page: https://api.anaconda.org/download/conda-forge/pip/23.1.2/noarch/pip-23.1.2-pyhd8ed1ab_0.conda
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda,/home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
When installing a package from a Mercurial VCS URL (ie "pip install
hg+...") with pip prior to v23.3, the specified Mercurial revision could
be used to inject arbitrary configuration options to the "hg clone"
call (ie "--config"). Controlling the Mercurial configuration can modify
how and which repository is installed. This vulnerability does not
affect users who aren't installing from Mercurial.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-10-24
URL: CVE-2023-5752
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-5752
Release Date: 2023-10-24
Fix Resolution: pip - 23.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - pip-23.1.2-pyhd8ed1ab_0.conda
PyPA recommended tool for installing Python packages
Library home page: https://api.anaconda.org/download/conda-forge/pip/23.1.2/noarch/pip-23.1.2-pyhd8ed1ab_0.conda
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda,/home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.
Publish Date: 2026-06-01
URL: CVE-2026-8643
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-01
Fix Resolution: https://github.com/pypa/pip.git - 26.1.2,pip - 26.1.2,pip - 26.1.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - pip-23.1.2-pyhd8ed1ab_0.conda
PyPA recommended tool for installing Python packages
Library home page: https://api.anaconda.org/download/conda-forge/pip/23.1.2/noarch/pip-23.1.2-pyhd8ed1ab_0.conda
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda,/home/wss-scanner/miniconda3/pkgs/pip-23.1.2-pyhd8ed1ab_0.conda
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.
Publish Date: 2026-02-02
URL: CVE-2026-1703
CVSS 3 Score Details (3.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-02-02
Fix Resolution: https://github.com/pypa/pip.git - 26.0,pip - 26.0,pip - 26.0
Step up your Open Source Security Game with Mend here