All ideas/devtools/Plataforma SaaS de seguridad y gestión automatizada de dependencias Python que detecta, alerta y remedia vulnerabilidades en paquetes y versiones instaladas, con enfoque en configuraciones de índices múltiples.

GitHubB2Bdevtools

Plataforma SaaS de seguridad y gestión automatizada de dependencias Python que detecta, alerta y remedia vulnerabilidades en paquetes y versiones instaladas, con enfoque en configuraciones de índices múltiples.

Scouted 6 hours ago

7.0/ 10

Overall score

Turn this signal into an edge

We help you build it, validate it, and get there first.

Go from idea to plan: who buys, what MVP to launch, how to validate it, and what to measure before spending months.

Extra context

Learn more about this idea

Get a clearer explanation of what the opportunity means, the current problem behind it, how this idea solves it, and the key concepts involved.

Score breakdown

Urgency8.0

Market size7.0

Feasibility7.0

Competition6.0

Pain point

Vulnerabilidades en la gestión de paquetes Python que pueden ser explotadas por versiones maliciosas en índices externos.

Who'd pay for this

Equipos de desarrollo de software, empresas que gestionan proyectos Python, y proveedores de software que dependen de paquetes externos.

Source signal

"An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index."

Original post

pip-19.3.1-py37_0.conda: 2 vulnerabilities (highest severity is: 7.8)

Published: 6 hours ago

Repository: jgeraigery/coremltools Author: mend-for-github-com[bot] <details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png' width=19 height=20> Vulnerable Library - pip-19.3.1-py37_0.conda</summary> PyPA recommended tool for installing Python packages Library home page: <a href="http://repo.continuum.io/pkgs/main/linux-64/pip-19.3.1-py37_0.conda">http://repo.continuum.io/pkgs/main/linux-64/pip-19.3.1-py37_0.conda</a> Path to dependency file: /deps/protobuf/python/docs/environment.yml Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-19.3.1-py37_0.conda Found in HEAD commit: <a href="https://github.com/jgeraigery/coremltools/commit/cb187ac68bbd85399a27da116bd477a755448e9e">cb187ac68bbd85399a27da116bd477a755448e9e</a></details> ## Vulnerabilities | Vulnerability | Severity | <img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20> CVSS | Exploit Maturity | EPSS | Dependency | Type | Fixed in (pip version) | Remediation Possible** | Reachability | | ------------- | ------------- | ----- | ----- | ----- | ----- | ----- | ------------- | --- | --- | | [CVE-2018-20225](https://www.mend.io/vulnerability-database/CVE-2018-20225) | <img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png?' width=19 height=20> High | 7.8 | Not Defined | 1.7% | pip-19.3.1-py37_0.conda | Direct | N/A | ❌| | | [CVE-2026-1703](https://www.mend.io/vulnerability-database/CVE-2026-1703) | <img src='https://whitesource-resources.whitesourcesoftware.com/low_vul.png?' width=19 height=20> Low | 3.5 | Not Defined | 0.0% | pip-19.3.1-py37_0.conda | Direct | https://github.com/pypa/pip.git - 26.0,pip - 26.0 | ❌| | **In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation ## Details <details> <summary><img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png?' width=19 height=20> CVE-2018-20225</summary> ### Vulnerable Library - pip-19.3.1-py37_0.conda PyPA recommended tool for installing Python packages Library home page: <a href="http://repo.continuum.io/pkgs/main/linux-64/pip-19.3.1-py37_0.conda">http://repo.continuum.io/pkgs/main/linux-64/pip-19.3.1-py37_0.conda</a> Path to dependency file: /deps/protobuf/python/docs/environment.yml Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-19.3.1-py37_0.conda Dependency Hierarchy: - :x: **pip-19.3.1-py37_0.conda** (Vulnerable Library) Found in HEAD commit: <a href="https://github.com/jgeraigery/coremltools/commit/cb187ac68bbd85399a27da116bd477a755448e9e">cb187ac68bbd85399a27da116bd477a755448e9e</a> Found in base branch: main ### Vulnerability Details An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely Mend Note: The description of this vulnerability differs from MITRE. Publish Date: 2020-05-08 URL: <a href=https://www.mend.io/vulnerability-database/CVE-2018-20225>CVE-2018-20225</a> ### Threat Assessment Exploit Maturity: Not Defined EPSS: 1.7% ### CVSS 3 Score Details (7.8) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>. </details><details> <summary><img src='https://whitesource-resources.whitesourcesoftware.com/low_vul.png?' width=19 height=20> CVE-2026-1703</summary> ### Vulnerable Library - pip-19.3.1-py37_0.conda PyPA recommended tool for installing Python packages Library home page: <a href="http://repo.continuum.io/pkgs/main/linux-64/pip-19.3.1-py37_0.conda">http://repo.continuum.io/pkgs/main/linux-64/pip-19.3.1-py37_0.conda</a> Path to dependency file: /deps/protobuf/python/docs/environment.yml Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-19.3.1-py37_0.conda Dependency Hierarchy: - :x: **pip-19.3.1-py37_0.conda** (Vulnerable Library) Found in HEAD commit: <a href="https://github.com/jgeraigery/coremltools/commit/cb187ac68bbd85399a27da116bd477a755448e9e">cb187ac68bbd85399a27da116bd477a755448e9e</a> Found in base branch: main ### Vulnerability Details When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations. Publish Date: 2026-02-02 URL: <a href=https://www.mend.io/vulnerability-database/CVE-2026-1703>CVE-2026-1703</a> ### Threat Assessment Exploit Maturity: Not Defined EPSS: 0.0% ### CVSS 3 Score Details (3.5) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>. ### Suggested Fix Type: Upgrade version Release Date: 2026-02-02 Fix Resolution: https://github.com/pypa/pip.git - 26.0,pip - 26.0 </details>

View on github ↗