CVE-2023-5752

ADVISORY - github

Summary

When installing a package from a Mercurial VCS URL, e.g. pip install hg+..., with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the hg clone call (e.g. --config). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.

EPSS Score: 0.0004 (0.116)

Common Weakness Enumeration (CWE)

ADVISORY - nist

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ADVISORY - github

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ADVISORY - gitlab

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Improper Neutralization of Special Elements used in a Command ('Command Injection')

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

ADVISORY - redhat

Improper Neutralization of Special Elements used in a Command ('Command Injection')


Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in