ALAS2023-2023-442 --- python-pipID: oval:org.secpod.oval:def:19500518 | Date: (C)2024-01-04 (M)2024-04-29 |
Class: PATCH | Family: unix |
When installing a package from a Mercurial VCS URL with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call . Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial
Platform: |
Amazon Linux 2023 |
Product: |
python-pip |
python3-pip |