CVE-2023-40590Untrusted Search Path in Gitpython

CWE-426Untrusted Search Path11 documents5 sources
Severity
7.8HIGHNVD
EPSS
0.4%
top 41.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Gitpython-developers GitpythonGitpython Project GitpythonDebian Python-git
Timeline
PublishedAug 28
Latest updateJan 11

Description

GitPython is a python library used to interact with Git repositories. When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment. GitPython defaults to use the `git` command, if a user runs GitPython from a repo has a `git.exe` or `git` executable, that program will be run instead of the one in the user's `PATH`. This is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But pro

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

CVEListV5gitpython-developers/gitpython< 3.1.41

🔴Vulnerability Details

6
OSV
CVE-2024-22190: GitPython is a python library used to interact with Git repositories2024-01-11
GHSA
Untrusted search path under some conditions on Windows allows arbitrary code execution2024-01-10
OSV
Untrusted search path under some conditions on Windows allows arbitrary code execution2024-01-10
GHSA
GitPython untrusted search path on Windows systems leading to arbitrary code execution2023-08-29
OSV
GitPython untrusted search path on Windows systems leading to arbitrary code execution2023-08-29

📋Vendor Advisories

3
Debian
CVE-2024-22190: python-git - GitPython is a python library used to interact with Git repositories. There is a...2024
Red Hat
gitpython: improper executable lookup on windows2023-08-28
Debian
CVE-2023-40590: python-git - GitPython is a python library used to interact with Git repositories. When resol...2023