#VU84849 Command Injection in pip - CVE-2023-5752


Vulnerability identifier: #VU84849

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-5752

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
pip
Universal components / Libraries / Programming Languages & Components

Vendor: Python Packaging Authority

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation when installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip. A remote attacker who controls the repository can use the specified Mercurial revision to inject arbitrary configuration options to the "hg clone" call (ie "--config").

Mitigation
Install updates from vendor's website.

Vulnerable software versions

pip: 0.3 - 23.2.1

External links
https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/
https://github.com/pypa/pip/pull/12306

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Maximo Application Suite - IoT Component
IBM DataStage on Cloud Pak for Data update for Pip
Amazon Linux AMI update for python-pip
Multiple vulnerabilities in IBM QRadar Deployment Intelligence App
Multiple vulnerabilities in Guardium Data Security Center
Gentoo update for pip
Multiple vulnerabilities in Dell PowerStore T
Multiple vulnerabilities in IBM Robotic Process Automation
Multiple vulnerabilities in IBM QRadar SIEM
Multiple vulnerabilities in PeopleSoft Enterprise PeopleTools