5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
7 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
16.0%
When installing a package from a Mercurial VCS URL, e.g. pip install hg+...
, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the hg clone
call (e.g. --config
). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren’t installing from Mercurial.
github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2023-228.yaml
github.com/pypa/pip
github.com/pypa/pip/commit/389cb799d0da9a840749fcd14878928467ed49b4
github.com/pypa/pip/pull/12306
lists.fedoraproject.org/archives/list/[email protected]/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U
lists.fedoraproject.org/archives/list/[email protected]/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH
lists.fedoraproject.org/archives/list/[email protected]/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW
lists.fedoraproject.org/archives/list/[email protected]/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E
lists.fedoraproject.org/archives/list/[email protected]/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ
mail.python.org/archives/list/[email protected]/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL
nvd.nist.gov/vuln/detail/CVE-2023-5752
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
7 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
16.0%