Todas las ideas/devtools/Plataforma SaaS de seguridad y gestión automatizada de dependencias Python que detecta, alerta y remedia vulnerabilidades en paquetes y versiones instaladas, con enfoque en configuraciones de índices múltiples.

GitHubB2Bdevtools

Plataforma SaaS de seguridad y gestión automatizada de dependencias Python que detecta, alerta y remedia vulnerabilidades en paquetes y versiones instaladas, con enfoque en configuraciones de índices múltiples.

Detectado hace 6 horas

7.0/ 10

Puntaje general

Convierte esta senal en ventaja

Te ayudamos a construirla, validarla y llegar primero.

Pasamos de la idea al plan: quien compra, que MVP lanzar, como validarlo y que medir antes de invertir meses.

Contexto extra

Ver mas sobre la idea

Te contamos que significa realmente la oportunidad, que problema existe hoy, como esta idea lo resolveria y los conceptos clave detras de ella.

Desglose del puntaje

Urgencia8.0

Tamano de mercado7.0

Viabilidad7.0

Competencia6.0

Dolor

Vulnerabilidades en la gestión de paquetes Python que pueden ser explotadas por versiones maliciosas en índices externos.

Quien pagaria por esto

Equipos de desarrollo de software, empresas que gestionan proyectos Python, y proveedores de software que dependen de paquetes externos.

Senal de origen

"An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index."

Publicacion original

pip-19.3.1-py37_0.conda: 2 vulnerabilities (highest severity is: 7.8)

Publicado: hace 6 horas

Repository: jgeraigery/coremltools Author: mend-for-github-com[bot] <details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png' width=19 height=20> Vulnerable Library - pip-19.3.1-py37_0.conda</summary> PyPA recommended tool for installing Python packages Library home page: <a href="http://repo.continuum.io/pkgs/main/linux-64/pip-19.3.1-py37_0.conda">http://repo.continuum.io/pkgs/main/linux-64/pip-19.3.1-py37_0.conda</a> Path to dependency file: /deps/protobuf/python/docs/environment.yml Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-19.3.1-py37_0.conda Found in HEAD commit: <a href="https://github.com/jgeraigery/coremltools/commit/cb187ac68bbd85399a27da116bd477a755448e9e">cb187ac68bbd85399a27da116bd477a755448e9e</a></details> ## Vulnerabilities | Vulnerability | Severity | <img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20> CVSS | Exploit Maturity | EPSS | Dependency | Type | Fixed in (pip version) | Remediation Possible** | Reachability | | ------------- | ------------- | ----- | ----- | ----- | ----- | ----- | ------------- | --- | --- | | [CVE-2018-20225](https://www.mend.io/vulnerability-database/CVE-2018-20225) | <img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png?' width=19 height=20> High | 7.8 | Not Defined | 1.7% | pip-19.3.1-py37_0.conda | Direct | N/A | ❌| | | [CVE-2026-1703](https://www.mend.io/vulnerability-database/CVE-2026-1703) | <img src='https://whitesource-resources.whitesourcesoftware.com/low_vul.png?' width=19 height=20> Low | 3.5 | Not Defined | 0.0% | pip-19.3.1-py37_0.conda | Direct | https://github.com/pypa/pip.git - 26.0,pip - 26.0 | ❌| | **In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation ## Details <details> <summary><img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png?' width=19 height=20> CVE-2018-20225</summary> ### Vulnerable Library - pip-19.3.1-py37_0.conda PyPA recommended tool for installing Python packages Library home page: <a href="http://repo.continuum.io/pkgs/main/linux-64/pip-19.3.1-py37_0.conda">http://repo.continuum.io/pkgs/main/linux-64/pip-19.3.1-py37_0.conda</a> Path to dependency file: /deps/protobuf/python/docs/environment.yml Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-19.3.1-py37_0.conda Dependency Hierarchy: - :x: **pip-19.3.1-py37_0.conda** (Vulnerable Library) Found in HEAD commit: <a href="https://github.com/jgeraigery/coremltools/commit/cb187ac68bbd85399a27da116bd477a755448e9e">cb187ac68bbd85399a27da116bd477a755448e9e</a> Found in base branch: main ### Vulnerability Details An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely Mend Note: The description of this vulnerability differs from MITRE. Publish Date: 2020-05-08 URL: <a href=https://www.mend.io/vulnerability-database/CVE-2018-20225>CVE-2018-20225</a> ### Threat Assessment Exploit Maturity: Not Defined EPSS: 1.7% ### CVSS 3 Score Details (7.8) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>. </details><details> <summary><img src='https://whitesource-resources.whitesourcesoftware.com/low_vul.png?' width=19 height=20> CVE-2026-1703</summary> ### Vulnerable Library - pip-19.3.1-py37_0.conda PyPA recommended tool for installing Python packages Library home page: <a href="http://repo.continuum.io/pkgs/main/linux-64/pip-19.3.1-py37_0.conda">http://repo.continuum.io/pkgs/main/linux-64/pip-19.3.1-py37_0.conda</a> Path to dependency file: /deps/protobuf/python/docs/environment.yml Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/pip-19.3.1-py37_0.conda Dependency Hierarchy: - :x: **pip-19.3.1-py37_0.conda** (Vulnerable Library) Found in HEAD commit: <a href="https://github.com/jgeraigery/coremltools/commit/cb187ac68bbd85399a27da116bd477a755448e9e">cb187ac68bbd85399a27da116bd477a755448e9e</a> Found in base branch: main ### Vulnerability Details When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations. Publish Date: 2026-02-02 URL: <a href=https://www.mend.io/vulnerability-database/CVE-2026-1703>CVE-2026-1703</a> ### Threat Assessment Exploit Maturity: Not Defined EPSS: 0.0% ### CVSS 3 Score Details (3.5) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>. ### Suggested Fix Type: Upgrade version Release Date: 2026-02-02 Fix Resolution: https://github.com/pypa/pip.git - 26.0,pip - 26.0 </details>

Ver en github ↗