Astra Linux - уязвимость в python-pip

When installing a package from a Mercurial VCS URL e.g., “pip install hg+…” using pip before version 23.3, the specified Mercurial revision could be used to inject arbitrary configuration options into the “hg clone” call e.g., “--config”. Controlling the Mercurial configuration allows modifying t...

EUVD-2022-0137

Malicious code in bioql PyPI...

Fedora 38 : pypy (2024-797928fed3)

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-797928fed3 advisory. Security fix for CVE-2023-5752 in the bundled pip. Tenable has extracted the preceding description block directly from the Fedora security advisory...

Fedora 39 : python-pip (2024-b72bc39c00)

The remote Fedora 39 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-b72bc39c00 advisory. Security fix for CVE-2023-5752 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not...

Command Injection

pip is vulnerable to Command Injection. While installing a package from Mercurial VCS URL, a specified mercurial URL could be used to inject arbitrary configuration options to the hg clone call. Controlling the Mercurial configuration can modify how and which repository is installed...

AZL-39958 CVE-2023-5752 affecting package python3 for versions less than 3.12.3-1

When installing a package from a Mercurial VCS URL ie "pip install hg+..." with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call ie "--config". Controlling the Mercurial configuration can modify how and which...

PYSEC-2023-228

When installing a package from a Mercurial VCS URL ie "pip install hg+..." with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call ie "--config". Controlling the Mercurial configuration can modify how and which...

UBUNTU-CVE-2023-5752

When installing a package from a Mercurial VCS URL ie "pip install hg+..." with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call ie "--config". Controlling the Mercurial configuration can modify how and which...

CVE-2023-5752

The CVE-2023-5752 issue affects python-pip when installing from a Mercurial VCS URL (for example, pip install hg+...), where prior to v23.3 a specified Mercurial revision could be used to inject arbitrary configuration options to the hg clone call (for instance --config). This could modify the re...

CVE-2022-21223

The package cocoapods-downloader before 1.6.2 are vulnerable to Command Injection via hg argument injection. When calling the download function when using hg, the url and/or revision, tag, branch is passed to the hg clone command in a way that additional flags can be set. The additional flags can...

Command injection

The package cocoapods-downloader before 1.6.2 are vulnerable to Command Injection via hg argument injection. When calling the download function when using hg, the url and/or revision, tag, branch is passed to the hg clone command in a way that additional flags can be set. The additional flags can...

cocoapods-downloader 参数注入漏洞

cocoapods-downloader is a small library. It is used to download files from remote controls in folders. cocoapods-downloader versions prior to 1.6.2 have a security vulnerability that stems from the presence of command injection in the hg parameter. An attacker calling the download function could...

libvcs Command Injection Vulnerability

libvcs is a vcs abstraction layer. libvcs is vulnerable to command injection, which stems from the fact that when the updaterepo function is called, the url argument is passed to the hg clone command, and an attacker can exploit this vulnerability to execute commands by injecting some hg options...

CVE-2022-21187

The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the updaterepo function when using hg, the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution...

CVE-2022-21187

The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the updaterepo function when using hg, the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution...

libvcs 参数注入漏洞

libvcs is a vcs abstraction layer. libvcs is vulnerable to command injection, which stems from the fact that when the updaterepo function is called, the url argument is passed to the hg clone command, and an attacker can exploit this vulnerability to execute commands by injecting some hg options...

Command Injection

Overview github.com/hashicorp/go-getter is a Package for downloading things from a string URL using a variety of protocols. Affected versions of this package are vulnerable to Command Injection via hg argument injection. When calling the newgogetter.HgGetter.get function, the dst parameter is...