CVE-2023-40267
published 2023-08-11CVE-2023-40267: GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for…
PriorityP344critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.98%
57.9th percentile
GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-git | < python-git 3.1.30-1+deb12u2 (bookworm) | python-git 3.1.30-1+deb12u2 (bookworm) |
| gitpython_project | gitpython | < 3.1.32 | 3.1.32 |
| gitpython_project | gitpython | >= 0 < 3.1.32 | 3.1.32 |
| gitpython_project | gitpython | >= 0 < 3.1.47 | 3.1.47 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian8.1HIGH
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
GitPython vulnerability
vendor_ubuntu·2023-08-31
CVE-2023-40267 GitPython vulnerability
Title: GitPython vulnerability
Summary: GitPython could be made to run arbitrary commands on the host.
It was discovered that GitPython did not block insecure options from user
inputs in the clone command. An attacker could possibly use this issue to
execute arbitrary commands on the host.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
GitPython: Insecure non-multi options in clone and clone_from is not blocked
vendor_redhat·2023-08-11·CVSS 8.1
CVE-2023-40267 [HIGH] CWE-20 GitPython: Insecure non-multi options in clone and clone_from is not blocked
GitPython: Insecure non-multi options in clone and clone_from is not blocked
GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.
An improper input validation vulnerability was found in GitPython. This flaw allows an attacker to inject a maliciously crafted remote URL into the clone command, possibly leading to remote code execution.
Statement: In Red Hat Openstack, Red Hat Ansible Automation Platform, and Red Hat Certification Program, while the gitpython dependency is present, the affected codebase is not being used.
Red Hat Satellite does not use the affected functions during runtime, therefore the possible impact is limited to Moderate.
Package: gitpython (Red Hat Ansible
Debian
CVE-2023-40267: python-git - GitPython before 3.1.32 does not block insecure non-multi options in clone and c...
vendor_debian·2023·CVSS 8.1
CVE-2023-40267 [HIGH] CVE-2023-40267: python-git - GitPython before 3.1.32 does not block insecure non-multi options in clone and c...
GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.
Scope: local
bookworm: resolved (fixed in 3.1.30-1+deb12u2)
bullseye: resolved (fixed in 3.1.14-1+deb11u1)
forky: resolved (fixed in 3.1.36-1)
sid: resolved (fixed in 3.1.36-1)
trixie: resolved (fixed in 3.1.36-1)
GHSA
GitPython: Unsafe option check validates multi_options before shlex.split transformation
ghsa·2026-04-25
CVE-2026-42284 [HIGH] CWE-88 GitPython: Unsafe option check validates multi_options before shlex.split transformation
GitPython: Unsafe option check validates multi_options before shlex.split transformation
### Summary
`_clone()` validates `multi_options` as the original list, then executes `shlex.split(" ".join(multi_options))`. A string like `"--branch main --config core.hooksPath=/x"` passes validation (starts with `--branch`), but after split becomes `["--branch", "main", "--config", "core.hooksPath=/x"]`. Git applies the config and executes attacker hooks during clone.
### Details
The vulnerable code is in [`git/repo/base.py` line 1383](https://github.com/gitpython-developers/GitPython/blob/5937d14a2c5e532fcb3ece0f45bf75e5bf18539e/git/repo/base.py#L1383):
```python
multi = shlex.split(" ".join(multi_options))
```
Then validation runs on the **original** list at [line 1390](https://github.com/git
OSV
GitPython vulnerable to remote code execution due to insufficient sanitization of input arguments
osv·2023-08-11·CVSS 9.8
CVE-2023-40267 [CRITICAL] GitPython vulnerable to remote code execution due to insufficient sanitization of input arguments
GitPython vulnerable to remote code execution due to insufficient sanitization of input arguments
GitPython before 3.1.32 does not block insecure non-multi options in `clone` and `clone_from`, making it vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.
GHSA
GitPython vulnerable to remote code execution due to insufficient sanitization of input arguments
ghsa·2023-08-11·CVSS 9.8
CVE-2023-40267 [CRITICAL] CWE-78 GitPython vulnerable to remote code execution due to insufficient sanitization of input arguments
GitPython vulnerable to remote code execution due to insufficient sanitization of input arguments
GitPython before 3.1.32 does not block insecure non-multi options in `clone` and `clone_from`, making it vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.
OSV
CVE-2023-40267: GitPython before 3
osv·2023-08-11·CVSS 9.8
CVE-2023-40267 [CRITICAL] CVE-2023-40267: GitPython before 3
GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.
No detection rules found.
No public exploits indexed.
https://github.com/gitpython-developers/GitPython/commit/ca965ecc81853bca7675261729143f54e5bf4cddhttps://github.com/gitpython-developers/GitPython/pull/1609https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R/https://github.com/gitpython-developers/GitPython/commit/ca965ecc81853bca7675261729143f54e5bf4cddhttps://github.com/gitpython-developers/GitPython/pull/1609https://lists.debian.org/debian-lts-announce/2024/10/msg00030.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R/
2023-08-11
Published