#VU84849 Command Injection in pip


Published: 2023-12-28

Vulnerability identifier: #VU84849

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-5752

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
pip
Universal components / Libraries / Programming Languages & Components

Vendor: Python Packaging Authority

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation when installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip. A remote attacker who controls the repository can use the specified Mercurial revision to inject arbitrary configuration options to the "hg clone" call (ie "--config").

Mitigation
Install updates from vendor's website.

Vulnerable software versions

pip: 0.3 - 23.2.1

External links
http://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/
http://github.com/pypa/pip/pull/12306

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Fedora 40 update for pypy
Fedora 39 update for pypy
Fedora 38 update for pypy
Fedora 41 update for pypy
Fedora 39 update for python-pip
Fedora 38 update for python-pip
Multiple vulnerabilities in IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data
Multiple vulnerabilities in IBM Cloud Pak for Business Automation
SUSE update for python-pip
SUSE update for python-pip