Skip to content

Deps: Bump actions/checkout from 4 to 5 in the github-actions group #293

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
greenbonebot merged 1 commit into from
Aug 18, 2025
Merged

Deps: Bump actions/checkout from 4 to 5 in the github-actions group #293

greenbonebot merged 1 commit into from
Aug 18, 2025

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Aug 18, 2025

Bumps the github-actions group with 1 update: actions/checkout.

Updates actions/checkout from 4 to 5

Release notes

Sourced from actions/checkout's releases.

v5.0.0

What's Changed

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v4...v4.3.0

v4.2.2

What's Changed

Full Changelog: actions/checkout@v4.2.1...v4.2.2

v4.2.1

What's Changed

New Contributors

Full Changelog: actions/checkout@v4.2.0...v4.2.1

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

V5.0.0

V4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Aug 18, 2025
@dependabot dependabot bot requested review from a team as code owners August 18, 2025 07:32
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Aug 18, 2025
@greenbonebot greenbonebot enabled auto-merge (rebase) August 18, 2025 07:33
@github-actions
Copy link

github-actions bot commented Aug 18, 2025

Conventional Commits Report

Type Number
Dependencies 1

🚀 Conventional commits found.

@dependabot @bjoernricks
Deps: Bump actions/checkout from 4 to 5 in the github-actions group
ee97dcb 
Bumps the github-actions group with 1 update: [actions/checkout](https://github.com/actions/checkout).


Updates `actions/checkout` from 4 to 5
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@bjoernricks bjoernricks force-pushed the dependabot/github_actions/github-actions-a331d3ec2d branch from 62e8d9f to ee97dcb Compare August 18, 2025 07:34
@github-actions
Copy link

github-actions bot commented Aug 18, 2025
edited
Loading

🔍 Vulnerabilities of harbor-os.greenbone.net/community/greenbone-feed-sync:293-merge-amd64

📦 Image Reference harbor-os.greenbone.net/community/greenbone-feed-sync:293-merge-amd64
digestsha256:44f450bf69b6a30b2a648dc15ff49402da3fe6080530d34ab8ba9e875a3081ad
vulnerabilitiescritical: 0 high: 1 medium: 2 low: 34
size67 MB
packages190
📦 Base Image debian:stable-20250811-slim
also known as
  • stable-slim
digestsha256:a1c1968fb091b256477e675a99ab3fa6f4c2d047ae7f506f92255cf5f0c2cf5e
vulnerabilitiescritical: 0 high: 0 medium: 1 low: 21
critical: 0 high: 1 medium: 1 low: 0 python3.13 3.13.5-2 (deb)

pkg:deb/debian/python3.13@3.13.5-2?os_distro=trixie&os_name=debian&os_version=13

high : CVE--2025--8194

Affected range>=3.13.5-2
Fixed versionNot Fixed
EPSS Score0.09%
EPSS Percentile26th percentile
Description

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1

medium : CVE--2025--6069

Affected range>=3.13.5-2
Fixed versionNot Fixed
EPSS Score0.08%
EPSS Percentile24th percentile
Description

The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.

critical: 0 high: 0 medium: 1 low: 1 tar 1.35+dfsg-3.1 (deb)

pkg:deb/debian/tar@1.35%2Bdfsg-3.1?os_distro=trixie&os_name=debian&os_version=13

medium : CVE--2025--45582

Affected range>=1.35+dfsg-3.1
Fixed versionNot Fixed
EPSS Score0.04%
EPSS Percentile11th percentile
Description

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages).

Disputed tar issue, works as documented per upstream:
https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html
https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md

low : CVE--2005--2541

Affected range>=1.35+dfsg-3.1
Fixed versionNot Fixed
EPSS Score3.25%
EPSS Percentile87th percentile
Description

Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.

This is intended behaviour, after all tar is an archiving tool and you
need to give -p as a command line flag

critical: 0 high: 0 medium: 0 low: 9 openssh 1:10.0p1-7 (deb)

pkg:deb/debian/openssh@1:10.0p1-7?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2023--51767

Affected range>=1:10.0p1-7
Fixed versionNot Fixed
EPSS Score0.01%
EPSS Percentile1st percentile
Description

OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.

low : CVE--2020--15778

Affected range>=1:10.0p1-7
Fixed versionNot Fixed
EPSS Score67.53%
EPSS Percentile99th percentile
Description

scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."

low : CVE--2020--14145

Affected range>=1:10.0p1-7
Fixed versionNot Fixed
EPSS Score2.01%
EPSS Percentile83rd percentile
Description

The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.

low : CVE--2019--6110

Affected range>=1:10.0p1-7
Fixed versionNot Fixed
EPSS Score52.53%
EPSS Percentile98th percentile
Description

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.

low : CVE--2018--15919

Affected range>=1:10.0p1-7
Fixed versionNot Fixed
EPSS Score0.72%
EPSS Percentile72nd percentile
Description

Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.'

low : CVE--2016--20012

Affected range>=1:10.0p1-7
Fixed versionNot Fixed
EPSS Score25.27%
EPSS Percentile96th percentile
Description

OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product

low : CVE--2008--3234

Affected range>=1:10.0p1-7
Fixed versionNot Fixed
EPSS Score2.79%
EPSS Percentile86th percentile
Description

sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username.

  • openssh (unimportant)
    this is by design

low : CVE--2007--2768

Affected range>=1:10.0p1-7
Fixed versionNot Fixed
EPSS Score0.66%
EPSS Percentile70th percentile
Description

OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.

low : CVE--2007--2243

Affected range>=1:10.0p1-7
Fixed versionNot Fixed
EPSS Score0.48%
EPSS Percentile64th percentile
Description

OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.

critical: 0 high: 0 medium: 0 low: 7 glibc 2.41-12 (deb)

pkg:deb/debian/glibc@2.41-12?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2019--9192

Affected range>=2.41-12
Fixed versionNot Fixed
EPSS Score0.16%
EPSS Percentile38th percentile
Description

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern

low : CVE--2019--1010025

Affected range>=2.41-12
Fixed versionNot Fixed
EPSS Score0.23%
EPSS Percentile46th percentile
Description

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability.

low : CVE--2019--1010024

Affected range>=2.41-12
Fixed versionNot Fixed
EPSS Score0.39%
EPSS Percentile59th percentile
Description

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

low : CVE--2019--1010023

Affected range>=2.41-12
Fixed versionNot Fixed
EPSS Score0.70%
EPSS Percentile71st percentile
Description

GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

low : CVE--2019--1010022

Affected range>=2.41-12
Fixed versionNot Fixed
EPSS Score0.14%
EPSS Percentile36th percentile
Description

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

low : CVE--2018--20796

Affected range>=2.41-12
Fixed versionNot Fixed
EPSS Score2.41%
EPSS Percentile84th percentile
Description

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep.

low : CVE--2010--4756

Affected range>=2.41-12
Fixed versionNot Fixed
EPSS Score0.37%
EPSS Percentile58th percentile
Description

The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.

  • glibc (unimportant)
  • eglibc (unimportant)
    That's standard POSIX behaviour implemented by (e)glibc. Applications using
    glob need to impose limits for themselves
critical: 0 high: 0 medium: 0 low: 4 systemd 257.7-1 (deb)

pkg:deb/debian/systemd@257.7-1?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2023--31439

Affected range>=257.7-1
Fixed versionNot Fixed
EPSS Score0.09%
EPSS Percentile27th percentile
Description

An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

low : CVE--2023--31438

Affected range>=257.7-1
Fixed versionNot Fixed
EPSS Score0.10%
EPSS Percentile28th percentile
Description

An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

low : CVE--2023--31437

Affected range>=257.7-1
Fixed versionNot Fixed
EPSS Score0.13%
EPSS Percentile33rd percentile
Description

An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

low : CVE--2013--4392

Affected range>=257.7-1
Fixed versionNot Fixed
EPSS Score0.07%
EPSS Percentile21st percentile
Description

systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.

critical: 0 high: 0 medium: 0 low: 3 krb5 1.21.3-5 (deb)

pkg:deb/debian/krb5@1.21.3-5?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2024--26461

Affected range>=1.21.3-5
Fixed versionNot Fixed
EPSS Score0.08%
EPSS Percentile25th percentile
Description

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

low : CVE--2024--26458

Affected range>=1.21.3-5
Fixed versionNot Fixed
EPSS Score0.21%
EPSS Percentile44th percentile
Description

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

low : CVE--2018--5709

Affected range>=1.21.3-5
Fixed versionNot Fixed
EPSS Score0.46%
EPSS Percentile63rd percentile
Description

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

critical: 0 high: 0 medium: 0 low: 2 coreutils 9.7-3 (deb)

pkg:deb/debian/coreutils@9.7-3?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2025--5278

Affected range>=9.7-3
Fixed versionNot Fixed
EPSS Score0.02%
EPSS Percentile3rd percentile
Description

A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data.

low : CVE--2017--18018

Affected range>=9.7-3
Fixed versionNot Fixed
EPSS Score0.06%
EPSS Percentile17th percentile
Description

In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.

critical: 0 high: 0 medium: 0 low: 2 shadow 1:4.17.4-2 (deb)

pkg:deb/debian/shadow@1:4.17.4-2?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2024--56433

Affected range>=1:4.17.4-2
Fixed versionNot Fixed
EPSS Score2.81%
EPSS Percentile86th percentile
Description

shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.

low : CVE--2007--5686

Affected range>=1:4.17.4-2
Fixed versionNot Fixed
EPSS Score0.33%
EPSS Percentile55th percentile
Description

initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.

  • shadow (unimportant)
    See #290803, on Debian LOG_UNKFAIL_ENAB in login.defs is set to no so
    unknown usernames are not recorded on login failures
critical: 0 high: 0 medium: 0 low: 1 openssl 3.5.1-1 (deb)

pkg:deb/debian/openssl@3.5.1-1?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2010--0928

Affected range>=3.2.1-3
Fixed versionNot Fixed
EPSS Score0.11%
EPSS Percentile30th percentile
Description

OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."

http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf
openssl/openssl#24540
Fault injection based attacks are not within OpenSSLs threat model according
to the security policy: https://www.openssl.org/policies/general/security-policy.html

critical: 0 high: 0 medium: 0 low: 1 util-linux 2.41-5 (deb)

pkg:deb/debian/util-linux@2.41-5?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2022--0563

Affected range>=2.41-5
Fixed versionNot Fixed
EPSS Score0.03%
EPSS Percentile5th percentile
Description

A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.

critical: 0 high: 0 medium: 0 low: 1 sqlite3 3.46.1-7 (deb)

pkg:deb/debian/sqlite3@3.46.1-7?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2021--45346

Affected range>=3.46.1-7
Fixed versionNot Fixed
EPSS Score0.20%
EPSS Percentile43rd percentile
Description

A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.

critical: 0 high: 0 medium: 0 low: 1 apt 3.0.3 (deb)

pkg:deb/debian/apt@3.0.3?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2011--3374

Affected range>=3.0.3
Fixed versionNot Fixed
EPSS Score1.51%
EPSS Percentile80th percentile
Description

It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.

critical: 0 high: 0 medium: 0 low: 1 perl 5.40.1-6 (deb)

pkg:deb/debian/perl@5.40.1-6?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2011--4116

Affected range>=5.40.1-6
Fixed versionNot Fixed
EPSS Score0.16%
EPSS Percentile38th percentile
Description

_is_safe in the File::Temp module for Perl does not properly handle symlinks.

critical: 0 high: 0 medium: 0 low: 1 python-pip 25.1.1+dfsg-1 (deb)

pkg:deb/debian/python-pip@25.1.1%2Bdfsg-1?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2018--20225

Affected range>=25.1.1+dfsg-1
Fixed versionNot Fixed
EPSS Score2.89%
EPSS Percentile86th percentile
Description

An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely

@greenbonebot greenbonebot merged commit 438c1ec into main Aug 18, 2025
17 checks passed
@greenbonebot greenbonebot deleted the dependabot/github_actions/github-actions-a331d3ec2d branch August 18, 2025 07:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bjoernricks bjoernricks bjoernricks approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bjoernricks @greenbonebot