CVE-2023-5752 is a medium-severity vulnerability affecting the pypa pip package manager. When installing a package from a Mercurial VCS URL (i.e., "pip install hg+...") using pip versions prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options into the "hg clone" call (i.e., "--config"). This vulnerability allows attackers to control the Mercurial configuration, potentially altering how and which repository is installed. Particularly, it does not affect users who are not installing from Mercurial.
The severity of this vulnerability is classified as medium with a CVSS score of 5.5. The risk to organizations includes potential integrity impact, as attackers could modify the installed repository by injecting malicious configurations. Given the nature of the vulnerability, organizations using pip for package installations should prioritize addressing this issue.
Currently, there are no known exploits or public proof of concepts (PoCs) associated with this vulnerability. Organizations should still remain vigilant as the potential for exploitation exists. Urgency for remediation is classified as moderate; organizations should schedule remediation in their patch cycle.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)