Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jd3ZtLXY0dzgtcTU4Y84AA1lK
Blind local file inclusion
Summary
In order to resolve some git references, GitPython reads files from the .git directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the .git directory. This allows an attacker to make GitPython read any file from the system.
Details
This vulnerability is present in
That code joins the base directory with a user given string without checking if the final path is located outside the base directory.
I was able to exploit it from three places, but there may be more code paths that lead to it:
PoC
Running GitPython within any repo should work, here is an example with the GitPython repo.
import git
r = git.Repo(".")
# This will make GitPython read the README.md file from the root of the repo
r.commit("../README.md")
r.tree("../README.md")
r.index.diff("../README.md")
# Reading /etc/random
# WARNING: this will probably halt your system, run with caution
# r.commit("../../../../../../../../../dev/random")
Impact
I wasn't able to show the contents of the files (that's why "blind" local file inclusion), depending on how GitPython is being used, this can be used by an attacker for something inoffensive as checking if a file exits, or cause a DoS by making GitPython read a big/infinite file (like /dev/random on Linux systems).
Possible solutions
A solution would be to check that the final path isn't located outside the repodir path (maybe even after resolving symlinks). Maybe there could be other checks in place to make sure that the reference names are valid.
Permalink: https://github.com/advisories/GHSA-cwvm-v4w8-q58c[!NOTE]
This vulnerability was reported via email, and it was decided to publish it here and make it public, so the community is aware of it, and a fix can be provided.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jd3ZtLXY0dzgtcTU4Y84AA1lK
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 8 months ago
Updated: 6 months ago
CVSS Score: 4.0
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-cwvm-v4w8-q58c, CVE-2023-41040
References:
- https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-cwvm-v4w8-q58c
- https://nvd.nist.gov/vuln/detail/CVE-2023-41040
- https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175
- https://github.com/gitpython-developers/GitPython/commit/74e55ee4544867e1bd976b7df5a45869ee397b0b
- https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2023-165.yaml
- https://github.com/gitpython-developers/GitPython/pull/1672
- https://github.com/gitpython-developers/GitPython/releases/tag/3.1.37
- https://lists.debian.org/debian-lts-announce/2023/09/msg00036.html
- https://github.com/advisories/GHSA-cwvm-v4w8-q58c
Blast Radius: 17.8
Affected Packages
pypi:GitPython
Dependent packages: 907Dependent repositories: 27,784
Downloads: 59,280,380 last month
Affected Version Ranges: <= 3.1.36
Fixed in: 3.1.37
All affected versions: 0.1.7, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 1.0.0, 1.0.1, 1.0.2, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.20, 3.1.22, 3.1.23, 3.1.24, 3.1.25, 3.1.26, 3.1.27, 3.1.28, 3.1.29, 3.1.30, 3.1.31, 3.1.32, 3.1.33, 3.1.34, 3.1.35, 3.1.36
All unaffected versions: 3.1.37, 3.1.38, 3.1.40, 3.1.41, 3.1.42, 3.1.43