Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oY3BqLXFwNTUtZ2ZwaM4AAwKi
GitPython vulnerable to Remote Code Execution due to improper user input validation
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.
Permalink: https://github.com/advisories/GHSA-hcpj-qp55-gfphJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oY3BqLXFwNTUtZ2ZwaM4AAwKi
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: 22 days ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.01185
EPSS Percentile: 0.85504
Identifiers: GHSA-hcpj-qp55-gfph, CVE-2022-24439
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-24439
- https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858
- https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py#L1249
- https://github.com/gitpython-developers/GitPython/issues/1515
- https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py%23L1249
- https://github.com/gitpython-developers/GitPython/releases/tag/3.1.30
- https://github.com/gitpython-developers/GitPython/commit/2625ed9fc074091c531c27ffcba7902771130261
- https://lists.debian.org/debian-lts-announce/2023/07/msg00024.html
- https://security.gentoo.org/glsa/202311-01
- https://lists.fedoraproject.org/archives/list/[email protected]/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X
- https://lists.fedoraproject.org/archives/list/[email protected]/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R
- https://lists.fedoraproject.org/archives/list/[email protected]/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN
- https://lists.fedoraproject.org/archives/list/[email protected]/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH
- https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2022-42992.yaml
- https://github.com/advisories/GHSA-hcpj-qp55-gfph
Blast Radius: 36.0
Affected Packages
pypi:GitPython
Dependent packages: 1,181Dependent repositories: 27,784
Downloads: 97,160,556 last month
Affected Version Ranges: <= 3.1.29
Fixed in: 3.1.30
All affected versions: 0.1.7, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 1.0.0, 1.0.1, 1.0.2, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.20, 3.1.22, 3.1.23, 3.1.24, 3.1.25, 3.1.26, 3.1.27, 3.1.28, 3.1.29
All unaffected versions: 3.1.30, 3.1.31, 3.1.32, 3.1.33, 3.1.34, 3.1.35, 3.1.36, 3.1.37, 3.1.38, 3.1.40, 3.1.41, 3.1.42, 3.1.43