CVE-2024-22190
published 2024-01-11CVE-2024-22190: GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted…
PriorityP335high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.32%
23.3th percentile
GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository. This issue has been patched in version 3.1.41.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-git | — | — |
| gitpython_project | gitpython | < 3.1.41 | 3.1.41 |
| gitpython_project | gitpython | >= 0 < ef3192cc414f2fd9978908454f6fd95243784c7f | ef3192cc414f2fd9978908454f6fd95243784c7f |
| gitpython_project | gitpython | >= 0 < 3.1.41 | 3.1.41 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
ghsa7.8HIGH
osv7.8HIGH
vendor_debian7.8LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2024-22190: python-git - GitPython is a python library used to interact with Git repositories. There is a...
vendor_debian·2024·CVSS 7.8
CVE-2024-22190 [HIGH] CVE-2024-22190: python-git - GitPython is a python library used to interact with Git repositories. There is a...
GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository. This issue has been patched in version 3.1.41.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
OSV
CVE-2024-22190: GitPython is a python library used to interact with Git repositories
osv·2024-01-11·CVSS 7.8
CVE-2024-22190 [HIGH] CVE-2024-22190: GitPython is a python library used to interact with Git repositories
GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository. This issue has been patched in version 3.1.41.
GHSA
Untrusted search path under some conditions on Windows allows arbitrary code execution
ghsa·2024-01-10·CVSS 7.8
CVE-2024-22190 [HIGH] CWE-426 Untrusted search path under some conditions on Windows allows arbitrary code execution
Untrusted search path under some conditions on Windows allows arbitrary code execution
### Summary
This issue exists because of an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository.
### Details
Although GitPython often avoids executing programs found in an untrusted search path since 3.1.33, two situations remain where this still occurs. Either can allow arbitrary code execution under some circumstances.
#### When a shell is used
GitPython can be told to run `git` commands through a shell rather than as direct subprocesses, by passing `sh
OSV
Untrusted search path under some conditions on Windows allows arbitrary code execution
osv·2024-01-10·CVSS 7.8
CVE-2024-22190 [HIGH] Untrusted search path under some conditions on Windows allows arbitrary code execution
Untrusted search path under some conditions on Windows allows arbitrary code execution
### Summary
This issue exists because of an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository.
### Details
Although GitPython often avoids executing programs found in an untrusted search path since 3.1.33, two situations remain where this still occurs. Either can allow arbitrary code execution under some circumstances.
#### When a shell is used
GitPython can be told to run `git` commands through a shell rather than as direct subprocesses, by passing `sh
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/gitpython-developers/GitPython/commit/ef3192cc414f2fd9978908454f6fd95243784c7fhttps://github.com/gitpython-developers/GitPython/pull/1792https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghxhttps://github.com/gitpython-developers/GitPython/commit/ef3192cc414f2fd9978908454f6fd95243784c7fhttps://github.com/gitpython-developers/GitPython/pull/1792https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx
2024-01-11
Published