First published: Tue Oct 24 2023(Updated: )
Python Packaging Authority pip could allow a local authenticated attacker to bypass security restrictions, caused by a flaw when installing a package from a Mercurial VCS URL. By sending a specially-crafted request, an attacker could exploit this vulnerability to inject arbitrary configuration options to the "hg clone" call to modify how and which repository is installed.
Credit: cna@python.org cna@python.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/pip | <23.3 | 23.3 |
IBM Security Verify Access | <=10.0.0 - 10.0.7.1 | |
pypa pip | <23.3 | |
pip/pip | <23.3 | 23.3 |
<23.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-5752 is a vulnerability in the pip package manager that allows an attacker to inject arbitrary configuration options during package installation.
CVE-2023-5752 can be exploited by an attacker to modify the Mercurial configuration during package installation, potentially compromising the integrity and security of the system.
The severity of CVE-2023-5752 is medium, with a severity value of 5.5.
To fix CVE-2023-5752, users should update their pip package manager to version 23.3 or higher.
You can find more information about CVE-2023-5752 on the GitHub pull request, the Python security-announce mailing list, and the NIST National Vulnerability Database.