Description |
|
An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). |
+ |
NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
|