PT-2023-7006 · Pypi+4 · Pip+4

Paul Gerste

Publicado

2023-10-24

Atualizado

2026-06-05

CVE-2023-5752

CVSS v4.0

6.8

Média

Vetor

AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions pip versions prior to v23.3

Description The issue is related to the injection of arbitrary configuration options to the "hg clone" call when installing a package from a Mercurial VCS URL using pip. This can modify how and which repository is installed. The vulnerability does not affect users who aren't installing from Mercurial.

Recommendations For pip versions prior to v23.3, update to version v23.3 or later to resolve the issue. As a temporary workaround, consider avoiding the installation of packages from Mercurial VCS URLs until the issue is resolved. Restrict access to the hg clone call to minimize the risk of exploitation. Avoid using the --config option in the "hg clone" call until the issue is resolved.

Correção

DoS

Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-77

Identificadores relacionados

AZL-39958

AZL-60006

BDU:2023-08026

BIT-PIP-2023-5752

CVE-2023-5752

DLA-4348-1

ECHO-1342-C991-4C68

GHSA-MQ26-G339-26XF

MGASA-2025-0055

OESA-2026-2541

OESA-2026-2542

OPENSUSE-SU-2023_4988-1

OPENSUSE-SU-2024:13454-1

OPENSUSE-SU-2024_3156-1

PYSEC-2023-228

RHSA-2024:3781

SUSE-SU-2023:4987-1

SUSE-SU-2023:4988-1

SUSE-SU-2023_4987-1

SUSE-SU-2024:0892-1

SUSE-SU-2024:3156-1

SUSE-SU-2024_0892-1

Produtos afetados

Astra Linux

Debian

Red Os

Suse

Pip

PT-2023-7006 · Pypi+4 · Pip+4

CVE-2023-5752

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 62