cbcvebase.
CVE-2022-24439
published 2022-12-06

CVE-2022-24439: All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
5.38%
91.7th percentile
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.

Affected

10 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianpython-git< python-git 3.1.30-1+deb12u2 (bookworm)python-git 3.1.30-1+deb12u2 (bookworm)
debianpython-git< python-git 3.1.30-1 (bookworm)python-git 3.1.30-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
gitpython_projectgitpython< 3.1.303.1.30
gitpython_projectgitpython< 3.1.323.1.32
gitpython_projectgitpython>= 0 < 3.1.303.1.30
gitpython_projectgitpython>= 0 < 3.1.323.1.32

Detection & IOCsextracted from sources · hover to see the quote

commandgit.Repo.clone_from
  • The vulnerability is triggered by injecting a maliciously crafted remote URL into the `clone` or `clone_from` command of GitPython; monitor for unusual arguments passed to git clone invocations spawned by Python processes.
  • Detect SSRF probing of internal ports (especially 5000) via HTTP requests with User-Agent 'python-requests' originating from the web application server.
  • GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from; patch to >= 3.1.32 (CVE-2023-40267 is an incomplete fix follow-up) and >= 3.1.36 for full remediation.
  • Monitor for Python scripts running as root that invoke git.Repo.clone_from with externally-controlled URL arguments, as this is the direct exploitation path for privilege escalation.
  • ·In Red Hat OpenStack Platform, the affected clone_from() function is not in use, reducing exploitability to medium/low in those environments.
  • ·CVE-2023-40267 represents an incomplete fix for CVE-2022-24439; patching to GitPython 3.1.30 is insufficient — full remediation requires >= 3.1.36.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian8.1HIGH
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.