CVE-2023-5752 — Command Injection in PIP

CWE-77 — Command Injection10 documents8 sources

Severity

3.3LOWNVD

CNA5.5

EPSS

0.1%

top 77.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pypa PIP

Timeline

PublishedOct 25

Latest updateOct 15

Description

When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages2 packages

▶NVDpypa/pip< 23.3

▶PyPIpypa/pip< 23.3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install hg+↗2023-10-25

▶

OSV

CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install hg+↗2023-10-25

▶

GHSA

Command Injection in pip when used with Mercurial↗2023-10-25

▶

OSV

Command Injection in pip when used with Mercurial↗2023-10-25

▶

CVEList

Mercurial configuration injectable in repo revision when installing via pip↗2023-10-24

▶

📋Vendor Advisories

Oracle

Oracle Oracle PeopleSoft Risk Matrix: Porting (pip) — CVE-2023-5752↗2024-10-15

▶

Red Hat

pip: Mercurial configuration injectable in repo revision when installing via pip↗2023-10-25

▶

Microsoft

Mercurial configuration injectable in repo revision when installing via pip↗2023-10-10

▶

Debian

CVE-2023-5752: python-pip - When installing a package from a Mercurial VCS URL (ie "pip install hg+...") w...↗2023

▶