When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: PSF

Published: 2023-10-24T20:56:05.469Z

Updated: 2023-10-24T21:41:30.616Z

Reserved: 2023-10-24T15:04:01.631Z


Link: CVE-2023-5752

JSON object: View

cve-icon NVD Information

Status : Modified

Published: 2023-10-25T18:17:44.867

Modified: 2024-06-10T18:15:24.660


Link: CVE-2023-5752

JSON object: View

cve-icon Redhat Information

No data.

CWE