DirectorySecurity Advisories
Sign In
Security Advisories

CGA-5f7v-h34j-fh9f

Published

Last updated

https://images.chainguard.dev/security/CGA-5f7v-h34j-fh9f
Package

jwt-tool

Latest Update
Fixed
Fixed Version

2.2.7-r0

Aliases
  • CVE-2023-5752
  • GHSA-mq26-g339-26xf

Severity

5.5

Medium

CVSS V3

Summary

Command Injection in pip when used with Mercurial

Description

When installing a package from a Mercurial VCS URL, e.g. pip install hg+..., with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the hg clone call (e.g. --config). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.

References

Updates


Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images