Path to vulnerable library: /awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl,/awscli-bundle/awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl
Path to vulnerable library: /awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl,/awscli-bundle/awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl
Path to vulnerable library: /awscli-bundle/awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/tests/old-wheels/pip-9.0.1-py2.py3-none-any.whl,/awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/tests/old-wheels/pip-9.0.1-py2.py3-none-any.whl
When installing a package from a Mercurial VCS URL (ie "pip install
hg+...") with pip prior to v23.3, the specified Mercurial revision could
be used to inject arbitrary configuration options to the "hg clone"
call (ie "--config"). Controlling the Mercurial configuration can modify
how and which repository is installed. This vulnerability does not
affect users who aren't installing from Mercurial.
CVE-2023-5752 - Medium Severity Vulnerability
Vulnerable Libraries - pip-19.3.1-py2.py3-none-any.whl, pip-19.1.1-py2.py3-none-any.whl, pip-9.0.1-py2.py3-none-any.whl
pip-19.3.1-py2.py3-none-any.whl
The PyPA recommended tool for installing Python packages.
Library home page: https://files.pythonhosted.org/packages/00/b6/9cfa56b4081ad13874b0c6f96af8ce16cfbc1cb06bedf8e9164ce5551ec1/pip-19.3.1-py2.py3-none-any.whl
Path to vulnerable library: /awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl,/awscli-bundle/awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl
Dependency Hierarchy: - :x: **pip-19.3.1-py2.py3-none-any.whl** (Vulnerable Library)
pip-19.1.1-py2.py3-none-any.whl
The PyPA recommended tool for installing Python packages.
Library home page: https://files.pythonhosted.org/packages/5c/e0/be401c003291b56efc55aeba6a80ab790d3d4cece2778288d65323009420/pip-19.1.1-py2.py3-none-any.whl
Path to vulnerable library: /awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl,/awscli-bundle/awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl
Dependency Hierarchy: - :x: **pip-19.1.1-py2.py3-none-any.whl** (Vulnerable Library)
pip-9.0.1-py2.py3-none-any.whl
The PyPA recommended tool for installing Python packages.
Library home page: https://files.pythonhosted.org/packages/b6/ac/7015eb97dc749283ffdec1c3a88ddb8ae03b8fad0f0e611408f196358da3/pip-9.0.1-py2.py3-none-any.whl
Path to vulnerable library: /awscli-bundle/awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/tests/old-wheels/pip-9.0.1-py2.py3-none-any.whl,/awscli-bundle/packages/virtualenv-16.7.8.tar/virtualenv-16.7.8/tests/old-wheels/pip-9.0.1-py2.py3-none-any.whl
Dependency Hierarchy: - :x: **pip-9.0.1-py2.py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: de1c2b0d1a23367b161c2d995029f9693bd8a155
Found in base branch: master
Vulnerability Details
When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.
Publish Date: 2023-10-24
URL: CVE-2023-5752
CVSS 3 Score Details (5.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-5752
Release Date: 2023-10-24
Fix Resolution: 23.3
Step up your Open Source Security Game with Mend here