CVE-2023-5752: Mercurial configuration injectable in repo revision when installing via pip
First published: Tue Oct 24 2023(Updated: )
Python Packaging Authority pip could allow a local authenticated attacker to bypass security restrictions, caused by a flaw when installing a package from a Mercurial VCS URL. By sending a specially-crafted request, an attacker could exploit this vulnerability to inject arbitrary configuration options to the "hg clone" call to modify how and which repository is installed.
Credit: cna@python.org cna@python.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/pip | <23.3 | 23.3 |
| redhat/pip | <23.3 | 23.3 |
| IBM Security Verify Access | <=10.0.0 - 10.0.7.1 | |
| pypa pip | <23.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2023-5752
- https://github.com/pypa/pip/pull/12306
- https://github.com/pypa/pip/commit/389cb799d0da9a840749fcd14878928467ed49b4
- https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2023-228.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ
- https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW
- https://github.com/advisories/GHSA-mq26-g339-26xf (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ/
- https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2250771
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2250765#c6
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2263291
- https://access.redhat.com/errata/RHSA-2024:3781
- https://bugzilla.redhat.com/show_bug.cgi?id=2250765
- https://exchange.xforce.ibmcloud.com/vulnerabilities/269797
- https://www.ibm.com/support/pages/node/7158789 (Advisory)
Frequently Asked Questions
What is CVE-2023-5752?
CVE-2023-5752 is a vulnerability in the pip package manager that allows an attacker to inject arbitrary configuration options during package installation.
How does CVE-2023-5752 impact users?
CVE-2023-5752 can be exploited by an attacker to modify the Mercurial configuration during package installation, potentially compromising the integrity and security of the system.
What is the severity of CVE-2023-5752?
The severity of CVE-2023-5752 is medium, with a severity value of 5.5.
How can I fix CVE-2023-5752?
To fix CVE-2023-5752, users should update their pip package manager to version 23.3 or higher.
Where can I find more information about CVE-2023-5752?
You can find more information about CVE-2023-5752 on the GitHub pull request, the Python security-announce mailing list, and the NIST National Vulnerability Database.
- agent/author
- agent/type
- agent/weakness
- agent/remedy
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/title
- agent/first-publish-date
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-mq26-g339-26xf
- alias/CVE-2023-5752
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- collector/mitre-cve
- source/MITRE
- collector/github-advisory
- collector/ibm-support
- source/IBM
- agent/last-modified-date
- agent/severity
- agent/references
- agent/softwarecombine
- agent/tags
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/pip
- package-manager/redhat
- vendor/ibm
- canonical/ibm security verify access
- version/ibm security verify access/10.0.0 - 10.0.7.1
- vendor/pypa
- canonical/pypa pip