CVE-2023-5752

Public on 2023-10-25
Modified on 2024-05-22
Description
When installing a package from a Mercurial VCS URL (ie "pip install
hg+...") with pip prior to v23.3, the specified Mercurial revision could
be used to inject arbitrary configuration options to the "hg clone"
call (ie "--config"). Controlling the Mercurial configuration can modify
how and which repository is installed. This vulnerability does not
affect users who aren't installing from Mercurial.
Severity
Medium severity
Medium
CVSS v3 Base Score
5.5
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 1 python-pip No Fix Planned
Amazon Linux 2 - Core python-pip 2023-11-29 ALAS2-2023-2349 Fixed
Amazon Linux 2023 python-pip 2023-12-06 ALAS2023-2023-442 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
NVD CVSSv3 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N