CVE-2023-5752
Mercurial configuration injectable in repo revision when installing via pip
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
When installing a package from a Mercurial VCS URL (ie "pip install
hg+...") with pip prior to v23.3, the specified Mercurial revision could
be used to inject arbitrary configuration options to the "hg clone"
call (ie "--config"). Controlling the Mercurial configuration can modify
how and which repository is installed. This vulnerability does not
affect users who aren't installing from Mercurial.
Al instalar un paquete desde una URL de Mercurial VCS (es decir, "pip install hg+...") con pip anterior a v23.3, la revisión de Mercurial especificada podría usarse para inyectar opciones de configuración arbitrarias a la llamada "hg clone" (es decir, " --config”). Controlar la configuración de Mercurial puede modificar cómo y qué repositorio se instala. Esta vulnerabilidad no afecta a los usuarios que no instalan desde Mercurial.
A flaw was found in the Python pip package. The pip could allow a local authenticated attacker to bypass security restrictions due to a flaw when installing a package from a Mercurial VCS URL. By sending a specially crafted request, an attacker can inject arbitrary configuration options to the "hg clone" call to modify how and which repository is installed.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2023-10-24 CVE Reserved
- 2023-10-24 CVE Published
- 2024-04-21 EPSS Updated
- 2024-09-17 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CAPEC
References (9)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/pypa/pip/pull/12306 | 2024-06-10 |