Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oY3BqLXFwNTUtZ2ZwaM4AAwKi
GitPython vulnerable to Remote Code Execution due to improper user input validation
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.
Permalink: https://github.com/advisories/GHSA-hcpj-qp55-gfphJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oY3BqLXFwNTUtZ2ZwaM4AAwKi
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 3 months ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-hcpj-qp55-gfph, CVE-2022-24439
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-24439
- https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858
- https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py#L1249
- https://github.com/gitpython-developers/GitPython/issues/1515
- https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py%23L1249
- https://github.com/gitpython-developers/GitPython/releases/tag/3.1.30
- https://lists.fedoraproject.org/archives/list/[email protected]/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X/
- https://github.com/gitpython-developers/GitPython/commit/2625ed9fc074091c531c27ffcba7902771130261
- https://lists.debian.org/debian-lts-announce/2023/07/msg00024.html
- https://lists.fedoraproject.org/archives/list/[email protected]/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH/
- https://security.gentoo.org/glsa/202311-01
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X/
- https://github.com/advisories/GHSA-hcpj-qp55-gfph
Blast Radius: 36.0
Affected Packages
pypi:GitPython
Dependent packages: 907Dependent repositories: 27,784
Downloads: 59,879,244 last month
Affected Version Ranges: <= 3.1.29
Fixed in: 3.1.30
All affected versions: 0.1.7, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 1.0.0, 1.0.1, 1.0.2, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.20, 3.1.22, 3.1.23, 3.1.24, 3.1.25, 3.1.26, 3.1.27, 3.1.28, 3.1.29
All unaffected versions: 3.1.30, 3.1.31, 3.1.32, 3.1.33, 3.1.34, 3.1.35, 3.1.36, 3.1.37, 3.1.38, 3.1.40, 3.1.41, 3.1.42, 3.1.43