CVE-2024-22190 — Untrusted Search Path in Project Gitpython

CWE-426 — Untrusted Search Path5 documents4 sources

Severity

7.8HIGHNVD

EPSS

0.4%

top 42.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitpython Project Gitpython Debian Python-git

Timeline

PublishedJan 11

Description

GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository. This issue has been patched in version 3.1.41.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶NVDgitpython_project/gitpython< 3.1.41

▶PyPIgitpython_project/gitpython< ef3192cc414f2fd9978908454f6fd95243784c7f+1

▶debiandebian/python-git

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2024-22190: GitPython is a python library used to interact with Git repositories↗2024-01-11

▶

GHSA

Untrusted search path under some conditions on Windows allows arbitrary code execution↗2024-01-10

▶

OSV

Untrusted search path under some conditions on Windows allows arbitrary code execution↗2024-01-10

▶

📋Vendor Advisories

Debian

CVE-2024-22190: python-git - GitPython is a python library used to interact with Git repositories. There is a...↗2024

▶