DirectorySecurity Advisories
Sign In
Security Advisories

CGA-fj24-33pw-hx4q

Published

Last updated

https://images.chainguard.dev/security/CGA-fj24-33pw-hx4q
Package

k8s-sidecar-1.22

Latest Update
Fixed
Fixed Version

1.22.4-r2

Aliases
  • CVE-2023-5752
  • GHSA-mq26-g339-26xf

Severity

5.5

Medium

CVSS V3

Summary

Command Injection in pip when used with Mercurial

Description

When installing a package from a Mercurial VCS URL, e.g. pip install hg+..., with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the hg clone call (e.g. --config). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.

References

Updates


Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images