5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
7.1 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
16.0%
pip is vulnerable to Command Injection. While installing a package from Mercurial VCS URL, a specified mercurial URL could be used to inject arbitrary configuration options to the hg clone call. Controlling the Mercurial configuration can modify how and which repository is installed.
github.com/advisories/GHSA-mq26-g339-26xf
github.com/pypa/pip/commit/389cb799d0da9a840749fcd14878928467ed49b4
github.com/pypa/pip/pull/12306
lists.fedoraproject.org/archives/list/[email protected]/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U/
lists.fedoraproject.org/archives/list/[email protected]/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH/
lists.fedoraproject.org/archives/list/[email protected]/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW/
lists.fedoraproject.org/archives/list/[email protected]/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E/
lists.fedoraproject.org/archives/list/[email protected]/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ/
mail.python.org/archives/list/[email protected]/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
7.1 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
16.0%