ghsa-mq26-g339-26xf
Vulnerability from github
Published
2023-10-25 18:32
Modified
2024-10-14 21:21
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.8 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
6.8 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
Command Injection in pip when used with Mercurial
Details
When installing a package from a Mercurial VCS URL, e.g. pip install hg+...
, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the hg clone
call (e.g. --config
). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.
{ "affected": [ { "package": { "ecosystem": "PyPI", "name": "pip" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "23.3" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2023-5752" ], "database_specific": { "cwe_ids": [ "CWE-77" ], "github_reviewed": true, "github_reviewed_at": "2023-10-30T15:00:34Z", "nvd_published_at": "2023-10-25T18:17:44Z", "severity": "MODERATE" }, "details": "When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren\u0027t installing from Mercurial.", "id": "GHSA-mq26-g339-26xf", "modified": "2024-10-14T21:21:21Z", "published": "2023-10-25T18:32:26Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5752" }, { "type": "WEB", "url": "https://github.com/pypa/pip/pull/12306" }, { "type": "WEB", "url": "https://github.com/pypa/pip/commit/389cb799d0da9a840749fcd14878928467ed49b4" }, { "type": "WEB", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2023-228.yaml" }, { "type": "PACKAGE", "url": "https://github.com/pypa/pip" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ" }, { "type": "WEB", "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "type": "CVSS_V3" }, { "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "type": "CVSS_V4" } ], "summary": "Command Injection in pip when used with Mercurial" }
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.