Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tcTI2LWczMzktMjZ4Zs4AA2sC
Command Injection in pip when used with Mercurial
When installing a package from a Mercurial VCS URL, e.g. pip install hg+..., with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the hg clone call (e.g. --config). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tcTI2LWczMzktMjZ4Zs4AA2sC
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 2 months ago
CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS Percentage: 0.00045
EPSS Percentile: 0.17515
Identifiers: GHSA-mq26-g339-26xf, CVE-2023-5752
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-5752
- https://github.com/pypa/pip/pull/12306
- https://github.com/pypa/pip/commit/389cb799d0da9a840749fcd14878928467ed49b4
- https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2023-228.yaml
- https://lists.fedoraproject.org/archives/list/[email protected]/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ
- https://mail.python.org/archives/list/[email protected]/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL
- https://lists.fedoraproject.org/archives/list/[email protected]/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E
- https://lists.fedoraproject.org/archives/list/[email protected]/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U
- https://lists.fedoraproject.org/archives/list/[email protected]/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH
- https://lists.fedoraproject.org/archives/list/[email protected]/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW
- https://github.com/advisories/GHSA-mq26-g339-26xf
Blast Radius: 25.0
Affected Packages
pypi:pip
Dependent packages: 1,678Dependent repositories: 35,613
Downloads: 320,882,021 last month
Affected Version Ranges: < 23.3
Fixed in: 23.3
All affected versions: 0.2.1, 0.3.1, 0.5.1, 0.6.1, 0.6.2, 0.6.3, 0.7.1, 0.7.2, 0.8.1, 0.8.2, 0.8.3, 1.0.1, 1.0.2, 1.2.1, 1.3.1, 1.4.1, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.1.0, 6.1.1, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.1.0, 8.1.1, 8.1.2, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 10.0.0, 10.0.1, 19.0.1, 19.0.2, 19.0.3, 19.1.1, 19.2.1, 19.2.2, 19.2.3, 19.3.1, 20.0.1, 20.0.2, 20.1.1, 20.2.1, 20.2.2, 20.2.3, 20.2.4, 20.3.1, 20.3.2, 20.3.3, 20.3.4, 21.0.1, 21.1.1, 21.1.2, 21.1.3, 21.2.1, 21.2.2, 21.2.3, 21.2.4, 21.3.1, 22.0.1, 22.0.2, 22.0.3, 22.0.4, 22.1.1, 22.1.2, 22.2.1, 22.2.2, 22.3.1, 23.0.1, 23.1.1, 23.1.2, 23.2.1
All unaffected versions: 23.3.1, 23.3.2, 24.1.1, 24.1.2, 24.3.1