PYSEC-2023-228 — Vulnetix

PYSEC-2023-228 PUBLISHED CVSS 3.299999952316284 LOW

When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.

Risk Scores

CVSS v3.1

3.299999952316284

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Affected Products

Vendor	Product	Versions
PyPI	pip	0.2.1, 0.3, 0

Timeline

Oct 25, 2023 CVE Published
Mar 24, 2026 CVE Updated

References

https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/ advisory
https://github.com/pypa/pip/pull/12306 fix

Open in Interactive Console →