CVE-2023-5752

CVSS v4.0

6.8

Medium

Vector

AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions pip versions prior to v23.3

Description The issue is related to the injection of arbitrary configuration options to the "hg clone" call when installing a package from a Mercurial VCS URL using pip. This can modify how and which repository is installed. The vulnerability does not affect users who aren't installing from Mercurial.

Recommendations For pip versions prior to v23.3, update to version v23.3 or later to resolve the issue. As a temporary workaround, consider avoiding the installation of packages from Mercurial VCS URLs until the issue is resolved. Restrict access to the hg clone call to minimize the risk of exploitation. Avoid using the --config option in the "hg clone" call until the issue is resolved.

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

AZL-39958

AZL-60006

BDU:2023-08026

BIT-PIP-2023-5752

CVE-2023-5752

DLA-4348-1

ECHO-1342-C991-4C68

GHSA-MQ26-G339-26XF

MGASA-2025-0055

OPENSUSE-SU-2023_4988-1

OPENSUSE-SU-2024:13454-1

OPENSUSE-SU-2024_3156-1

PYSEC-2023-228

RHSA-2024:3781

SUSE-SU-2023:4987-1

SUSE-SU-2023:4988-1

SUSE-SU-2023_4987-1

SUSE-SU-2024:0892-1

SUSE-SU-2024:3156-1

SUSE-SU-2024_0892-1

Affected Products

Astra Linux

Debian

Red Os

Suse

Pip

CVE-2023-5752

Weakness Enumeration

Related Identifiers

Affected Products

References · 57