Pip Command Injection Vulnerability

🗓️ 25 Oct 2023 00:00:00Reported by China National Vulnerability Database of Information SecurityType

cnnvd

cnnvd🔗 www.cnnvd.org.cn👁 2 Views

Pip versions before 23.3 have a command injection vulnerability via an injected configuration option.

Reporter	Title	Published	Views	Family All 121
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM watsonx Orchestrate Developer Edition	17 Dec 202509:51	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Guardium Data Security Center is affected by multiple vulnerabilities	7 Mar 202515:14	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities exists in IBM Netezza Analytics - NPS Product	15 Jul 202515:44	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Verify Access is vulnerable to multiple Security Vulnerabilities	15 Apr 202502:42	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Iot Component uses axios 1.7.9 and Python-3.8.17 which is vulnerable to CVE-2023-40217, CVE-2024-6232, CVE-2022-40897, CVE-2024-6345, CVE-2023-5752 and CVE-2025-27152	25 Jun 202508:00	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining 2.0.3	7 Oct 202516:08	–	ibm
IBM Security Bulletins	Security Bulletin: DataStage on Cloud Pak for Data has several vulnerabilities due to open source software	16 Jun 202618:26	–	ibm
IBM Security Bulletins	Security Bulletin: IBM watsonx.ai on Cloud Pak for Data is vulnerable to python-Python-3.12.0b4 (Publicly disclosed vulnerability found by Mend) due to python pip package ( CVE-2023-5752, PRISMA-2022-0168)	5 Jun 202608:14	–	ibm
IBM Security Bulletins	Security Bulletin: security vulnerabilities are addressed with IBM Business Automation Insights iFixes for August 2025.	15 Sep 202507:04	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Iot Component uses axios 1.7.9 and Python-3.8.17 which is vulnerable to CVE-2023-40217, CVE-2024-6232, CVE-2022-40897, CVE-2024-6345, CVE-2023-5752 and CVE-2025-27152	25 Jun 202507:57	–	ibm

Source	Link
lists	www.lists.fedoraproject.org/archives/list/[email protected]/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW/
mail	www.mail.python.org/archives/list/[email protected]/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/
lists	www.lists.fedoraproject.org/archives/list/[email protected]/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E/
lists	www.lists.fedoraproject.org/archives/list/[email protected]/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U/
github	www.github.com/pypa/pip/pull/12306
lists	www.lists.fedoraproject.org/archives/list/[email protected]/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH/
lists	www.lists.fedoraproject.org/archives/list/[email protected]/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ/
vigilance	www.vigilance.fr/vulnerability/pip-write-access-via-Mercurial-VCS-URL-Configuration-Options-43190
cxsecurity	www.cxsecurity.com/cveshow/CVE-2023-5752/
oracle	www.oracle.com/security-alerts/cpuoct2024.html

16 Jan 2026 00:00Current

7.6High risk

Vulners AI Score7.6

CVSS 3.13.3 - 5.5

EPSS0.00476

SSVC

python package manager command injection vulnerability version before 23.3 injected configuration option