CVE-2023-5752
ADVISORY - githubSummary
When installing a package from a Mercurial VCS URL, e.g. pip install hg+...
, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the hg clone
call (e.g. --config
). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.
EPSS Score: 0.0004 (0.116)
Common Weakness Enumeration (CWE)
ADVISORY - nist
Improper Neutralization of Special Elements used in a Command ('Command Injection')
ADVISORY - github
Improper Neutralization of Special Elements used in a Command ('Command Injection')
ADVISORY - gitlab
ADVISORY - redhat
Improper Neutralization of Special Elements used in a Command ('Command Injection')
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in