Описание
When installing a package from a Mercurial VCS URL (ie "pip install
hg+...") with pip prior to v23.3, the specified Mercurial revision could
be used to inject arbitrary configuration options to the "hg clone"
call (ie "--config"). Controlling the Mercurial configuration can modify
how and which repository is installed. This vulnerability does not
affect users who aren't installing from Mercurial.
A flaw was found in the Python pip package. The pip could allow a local authenticated attacker to bypass security restrictions due to a flaw when installing a package from a Mercurial VCS URL. By sending a specially crafted request, an attacker can inject arbitrary configuration options to the "hg clone" call to modify how and which repository is installed.
Отчет
Mercurial is not available in RHEL 8 and 9, so the vulnerability cannot be exploited. Without mercurial installed (the hg command), pip cannot clone and install from hg+http[s] URLs.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 1.2 | ansible-tower | Not affected | ||
| Red Hat Ansible Automation Platform 2 | python3x-pyrsistent | Not affected | ||
| Red Hat Enterprise Linux 7 | python-pip | Out of support scope | ||
| Red Hat Enterprise Linux 8 | python-pip | Not affected | ||
| Red Hat Enterprise Linux 9 | python-pip | Not affected | ||
| Red Hat Enterprise Linux 9 | python-pyrsistent | Fix deferred | ||
| Red Hat OpenShift Dev Spaces | devspaces/udi-rhel8 | Fix deferred | ||
| Red Hat Quay 3 | quay/quay-rhel8 | Fix deferred | ||
| Service Telemetry Framework 1.5 | stf/prometheus-webhook-snmp-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2.4 for RHEL 8 | automation-controller | Fixed | RHSA-2024:3781 | 10.06.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
3.3 Low
CVSS3
Связанные уязвимости
When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.
When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.
When installing a package from a Mercurial VCS URL (ie "pip install ...
EPSS
3.3 Low
CVSS3