{ "threat_severity" : "Low", "public_date" : "2023-10-25T00:00:00Z", "bugzilla" : { "description" : "pip: Mercurial configuration injectable in repo revision when installing via pip", "id" : "2250765", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2250765" }, "cvss3" : { "cvss3_base_score" : "3.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-77", "details" : [ "When installing a package from a Mercurial VCS URL (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\nbe used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\nhow and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.", "A flaw was found in the Python pip package. The pip could allow a local authenticated attacker to bypass security restrictions due to a flaw when installing a package from a Mercurial VCS URL. By sending a specially crafted request, an attacker can inject arbitrary configuration options to the \"hg clone\" call to modify how and which repository is installed." ], "statement" : "Mercurial is not available in RHEL 8 and 9, so the vulnerability cannot be exploited. Without mercurial installed (the hg command), pip cannot clone and install from hg+http[s] URLs.", "affected_release" : [ { "product_name" : "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date" : "2024-06-10T00:00:00Z", "advisory" : "RHSA-2024:3781", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package" : "automation-controller-0:4.5.7-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date" : "2024-06-10T00:00:00Z", "advisory" : "RHSA-2024:3781", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package" : "automation-controller-0:4.5.7-1.el9ap" } ], "package_state" : [ { "product_name" : "Red Hat Ansible Automation Platform 1.2", "fix_state" : "Not affected", "package_name" : "ansible-tower", "cpe" : "cpe:/a:redhat:ansible_automation_platform" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "python3x-pyrsistent", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "python-pip", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "python-pip", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "python-pip", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "python-pyrsistent", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Fix deferred", "package_name" : "devspaces/udi-rhel8", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Fix deferred", "package_name" : "quay/quay-rhel8", "cpe" : "cpe:/a:redhat:quay:3" }, { "product_name" : "Service Telemetry Framework 1.5", "fix_state" : "Not affected", "package_name" : "stf/prometheus-webhook-snmp", "cpe" : "cpe:/a:redhat:stf:1.5" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-5752\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-5752\nhttps://github.com/pypa/pip/pull/12306\nhttps://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/" ], "name" : "CVE-2023-5752", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }