Headline
CVE-2023-5752: Mailman 3 [CVE-2023-5752] Mercurial configuration injectable in repo revision when installing via pip - Security-announce
When installing a package from a Mercurial VCS URL (ie “pip install hg+…”) with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the “hg clone” call (ie “–config”). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren’t installing from Mercurial.
When installing a package from a Mercurial VCS URL (ie “pip install hg+…”) with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the “hg clone” call (ie “–config”). Controlling the Mercurial configuration can modify how and which repository is installed.
This vulnerability does not affect users who aren’t installing Mercurial VCS URLs.
This is a *MEDIUM* severity vulnerability.
*Affected versions:*
pip before v23.3 are affected by this vulnerability.
*Remediation:*
- Upgrade to at least pip v23.3
- Don’t clone Mercurial repositories or allow uncontrolled input to the
target Mercurial URL and revision.
*References:*
- https://www.cve.org/CVERecord?id=CVE-2023-5752
- https://github.com/pypa/pip/pull/12306
Related news
Red Hat Security Advisory 2024-3781-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include HTTP request smuggling, buffer overflow, code execution, cross site scripting, denial of service, memory exhaustion, null pointer, and password leak vulnerabilities.