ALAS-2023-2349 --- python-pipID: oval:org.secpod.oval:def:1701981 | Date: (C)2023-12-15 (M)2024-04-29 |
Class: PATCH | Family: unix |
When installing a package from a Mercurial VCS URL with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call . Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial
Product: |
python-pip |
python2-pip |
python3-pip |