CVE-2023-41040 — Path Traversal in Gitpython

CWE-22 — Path Traversal8 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 41.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitpython-developers Gitpython Gitpython Project Gitpython Debian Python-git

Timeline

PublishedAug 30

Latest updateAug 31

Description

GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the `.git` directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the `.git` directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:LExploitability: 3.9 | Impact: 2.5

Affected Packages4 packages

▶CVEListV5gitpython-developers/gitpython< 3.1.37

▶PyPIgitpython_project/gitpython< 3.1.37+1

▶NVDgitpython_project/gitpython3.1.34

▶debiandebian/python-git< python-git 3.1.30-1+deb12u2 (bookworm)

🔴Vulnerability Details

GHSA

GitPython blind local file inclusion↗2023-08-30

▶

OSV

GitPython blind local file inclusion↗2023-08-30

▶

OSV

CVE-2023-41040: GitPython is a python library used to interact with Git repositories↗2023-08-30

▶

OSV

CVE-2023-41040: GitPython is a python library used to interact with Git repositories↗2023-08-30

▶

📋Vendor Advisories

Red Hat

GitPython: Blind local file inclusion↗2023-08-31

▶

Debian

CVE-2023-41040: python-git - GitPython is a python library used to interact with Git repositories. In order t...↗2023

▶