Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1tcTI2LWczMzktMjZ4Zs4AA2sC

Command Injection in pip when used with Mercurial

When installing a package from a Mercurial VCS URL, e.g. pip install hg+..., with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the hg clone call (e.g. --config). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.

Permalink: https://github.com/advisories/GHSA-mq26-g339-26xf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tcTI2LWczMzktMjZ4Zs4AA2sC
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: about 13 hours ago

CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Identifiers: GHSA-mq26-g339-26xf, CVE-2023-5752
References:

• https://nvd.nist.gov/vuln/detail/CVE-2023-5752
• https://github.com/pypa/pip/pull/12306
• https://github.com/pypa/pip/commit/389cb799d0da9a840749fcd14878928467ed49b4
• https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2023-228.yaml
• https://lists.fedoraproject.org/archives/list/[email protected]/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ
• https://mail.python.org/archives/list/[email protected]/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL
• https://lists.fedoraproject.org/archives/list/[email protected]/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E
• https://github.com/advisories/GHSA-mq26-g339-26xf

Repository: https://github.com/pypa/pip
Blast Radius: 25.0

Affected Packages