k8s-sidecar-1.22
1.22.4-r2
5.5
CVSS V3
Command Injection in pip when used with Mercurial
When installing a package from a Mercurial VCS URL, e.g. pip install hg+...
, with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the hg clone
call (e.g. --config
). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.