UBUNTU-CVE-2026-1703

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-1703

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-1703.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2026-1703

Upstream

CVE-2026-1703

Published

2026-02-02T15:16:00Z

Modified

2026-05-20T16:11:33.912043270Z

Severity

2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Ubuntu - low

Summary

[none]

Details

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

References

Affected packages

Ubuntu:22.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.3.4-4

21.*

21.3.1+dfsg-3

22.*

22.0.2+dfsg-1

22.0.2+dfsg-1ubuntu0.1

22.0.2+dfsg-1ubuntu0.2

22.0.2+dfsg-1ubuntu0.3

22.0.2+dfsg-1ubuntu0.4

22.0.2+dfsg-1ubuntu0.5

22.0.2+dfsg-1ubuntu0.6

22.0.2+dfsg-1ubuntu0.7

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "22.0.2+dfsg-1ubuntu0.7",
            "binary_name": "python3-pip"
        },
        {
            "binary_version": "22.0.2+dfsg-1ubuntu0.7",
            "binary_name": "python3-pip-whl"
        }
    ],
    "priority_reason": "Limited scope and requires a user to extract a maliciously crafted wheel. Normal users are not vulnerable."
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-1703.json"

Ubuntu:24.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

23.*

23.2+dfsg-1

23.3+dfsg-1

24.*

24.0+dfsg-1

24.0+dfsg-1ubuntu1

24.0+dfsg-1ubuntu1.1

24.0+dfsg-1ubuntu1.2

24.0+dfsg-1ubuntu1.3

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "24.0+dfsg-1ubuntu1.3",
            "binary_name": "python3-pip"
        },
        {
            "binary_version": "24.0+dfsg-1ubuntu1.3",
            "binary_name": "python3-pip-whl"
        }
    ],
    "priority_reason": "Limited scope and requires a user to extract a maliciously crafted wheel. Normal users are not vulnerable."
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-1703.json"

Ubuntu:25.10

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

25.*

25.0+dfsg-1

25.1.1+dfsg-1

25.1.1+dfsg-1ubuntu1

25.1.1+dfsg-1ubuntu2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "25.1.1+dfsg-1ubuntu2",
            "binary_name": "python3-pip"
        },
        {
            "binary_version": "25.1.1+dfsg-1ubuntu2",
            "binary_name": "python3-pip-whl"
        }
    ],
    "priority_reason": "Limited scope and requires a user to extract a maliciously crafted wheel. Normal users are not vulnerable."
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-1703.json"

Ubuntu:26.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

25.*

25.1.1+dfsg-1ubuntu2

Ecosystem specific

{
    "priority_reason": "Limited scope and requires a user to extract a maliciously crafted wheel. Normal users are not vulnerable.",
    "binaries": [
        {
            "binary_version": "25.1.1+dfsg-1ubuntu2",
            "binary_name": "python3-pip"
        },
        {
            "binary_version": "25.1.1+dfsg-1ubuntu2",
            "binary_name": "python3-pip-whl"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-1703.json"

Ubuntu:Pro:14.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=esm-infra-legacy%2Ftrusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.4.1-2

1.5.4-1

1.5.4-1ubuntu1

1.5.4-1ubuntu3

1.5.4-1ubuntu4

1.5.4-1ubuntu4+esm1

1.5.4-1ubuntu4+esm2

1.5.4-1ubuntu4+esm3

1.5.4-1ubuntu4+esm4

1.5.4-1ubuntu4+esm5

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.5.4-1ubuntu4+esm5",
            "binary_name": "python-pip"
        },
        {
            "binary_version": "1.5.4-1ubuntu4+esm5",
            "binary_name": "python-pip-whl"
        },
        {
            "binary_version": "1.5.4-1ubuntu4+esm5",
            "binary_name": "python3-pip"
        }
    ],
    "priority_reason": "Limited scope and requires a user to extract a maliciously crafted wheel. Normal users are not vulnerable."
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-1703.json"

Ubuntu:Pro:16.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fxenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.5.6-7ubuntu1

1.5.6-7ubuntu2

8.*

8.0.2-7

8.0.3-1

8.0.3-2

8.1.0-1

8.1.0-2

8.1.1-1

8.1.1-2

8.1.1-2ubuntu0.1

8.1.1-2ubuntu0.2

8.1.1-2ubuntu0.4

8.1.1-2ubuntu0.6

8.1.1-2ubuntu0.6+esm2

8.1.1-2ubuntu0.6+esm3

8.1.1-2ubuntu0.6+esm4

8.1.1-2ubuntu0.6+esm5

8.1.1-2ubuntu0.6+esm6

8.1.1-2ubuntu0.6+esm8

8.1.1-2ubuntu0.6+esm10

8.1.1-2ubuntu0.6+esm11

8.1.1-2ubuntu0.6+esm12

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "8.1.1-2ubuntu0.6+esm12",
            "binary_name": "python-pip"
        },
        {
            "binary_version": "8.1.1-2ubuntu0.6+esm12",
            "binary_name": "python-pip-whl"
        },
        {
            "binary_version": "8.1.1-2ubuntu0.6+esm12",
            "binary_name": "python3-pip"
        }
    ],
    "priority_reason": "Limited scope and requires a user to extract a maliciously crafted wheel. Normal users are not vulnerable."
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-1703.json"

Ubuntu:Pro:18.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fbionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.0.1-2

9.0.1-2.3~ubuntu1

9.0.1-2.3~ubuntu1.18.04.1

9.0.1-2.3~ubuntu1.18.04.2

9.0.1-2.3~ubuntu1.18.04.3

9.0.1-2.3~ubuntu1.18.04.4

9.0.1-2.3~ubuntu1.18.04.5

9.0.1-2.3~ubuntu1.18.04.5+esm2

9.0.1-2.3~ubuntu1.18.04.5+esm3

9.0.1-2.3~ubuntu1.18.04.6

9.0.1-2.3~ubuntu1.18.04.6+esm1

9.0.1-2.3~ubuntu1.18.04.7

9.0.1-2.3~ubuntu1.18.04.7+esm1

9.0.1-2.3~ubuntu1.18.04.8

9.0.1-2.3~ubuntu1.18.04.8+esm1

9.0.1-2.3~ubuntu1.18.04.8+esm2

9.0.1-2.3~ubuntu1.18.04.8+esm4

9.0.1-2.3~ubuntu1.18.04.8+esm6

9.0.1-2.3~ubuntu1.18.04.8+esm7

9.0.1-2.3~ubuntu1.18.04.8+esm8

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "9.0.1-2.3~ubuntu1.18.04.8+esm8",
            "binary_name": "python-pip"
        },
        {
            "binary_version": "9.0.1-2.3~ubuntu1.18.04.8+esm8",
            "binary_name": "python-pip-whl"
        },
        {
            "binary_version": "9.0.1-2.3~ubuntu1.18.04.8+esm8",
            "binary_name": "python3-pip"
        }
    ],
    "priority_reason": "Limited scope and requires a user to extract a maliciously crafted wheel. Normal users are not vulnerable."
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-1703.json"

Ubuntu:Pro:20.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Ffocal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

18.*

18.1-5

18.1-5build1

18.1-5ubuntu1

20.*

20.0.2-2

20.0.2-4

20.0.2-5

20.0.2-5ubuntu1

20.0.2-5ubuntu1.1

20.0.2-5ubuntu1.3

20.0.2-5ubuntu1.4

20.0.2-5ubuntu1.5

20.0.2-5ubuntu1.6

20.0.2-5ubuntu1.7

20.0.2-5ubuntu1.8

20.0.2-5ubuntu1.9

20.0.2-5ubuntu1.10

20.0.2-5ubuntu1.10+esm2

20.0.2-5ubuntu1.11

20.0.2-5ubuntu1.11+esm2

20.0.2-5ubuntu1.11+esm3

20.0.2-5ubuntu1.11+esm4

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "20.0.2-5ubuntu1.11+esm4",
            "binary_name": "python-pip-whl"
        },
        {
            "binary_version": "20.0.2-5ubuntu1.11+esm4",
            "binary_name": "python3-pip"
        }
    ],
    "priority_reason": "Limited scope and requires a user to extract a maliciously crafted wheel. Normal users are not vulnerable."
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-1703.json"