CVE-2023-5752: 
Python vulnerability analysis and mitigation

CVE-2023-5752 affects pip versions prior to v23.3. The vulnerability was discovered in pip's handling of Mercurial VCS URLs, where when installing a package using 'pip install hg+...', the specified Mercurial revision could be used to inject arbitrary configuration options to the 'hg clone' call. The issue was disclosed on October 24, 2023, and affects all pip installations before version 23.3 (Python Security).

The vulnerability allows attackers to inject arbitrary configuration options (like '--config') through the Mercurial revision parameter when installing packages via pip from Mercurial VCS URLs. The CVSS v3.1 base score is 3.3 (LOW) according to NVD, with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, though Python Software Foundation rates it as MEDIUM with a score of 5.5 and vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (NVD).

The vulnerability allows an attacker to control the Mercurial configuration, which can modify how and which repository is installed. This could potentially lead to the installation of unintended or malicious code. However, the impact is limited to users who specifically install packages from Mercurial VCS URLs (Python Security).

The primary mitigation is to upgrade to pip version 23.3 or later. For users who cannot upgrade immediately, the recommended workaround is to avoid cloning Mercurial repositories or ensure controlled input to the target Mercurial URL and revision. The fix involves using '-r=...' instead of '-r ...' for specifying references with Mercurial (Python Security, GitHub PR).