Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-hcpj-qp55-gfph: GitPython vulnerable to Remote Code Execution due to improper user input validation

All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.

ghsa
#vulnerability#git#rce
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2022-24439

GitPython vulnerable to Remote Code Execution due to improper user input validation

High severity GitHub Reviewed Published Dec 6, 2022 • Updated Dec 6, 2022

Package

pip GitPython (pip)

Affected versions

<= 3.1.20

Description

Related news

Gentoo Linux Security Advisory 202311-01

Gentoo Linux Security Advisory 202311-1 - A vulnerability has been discovered in GitPython where crafted input to Repo.clone_from can lead to code execution. Versions greater than or equal to 3.1.30 are affected.

Red Hat Security Advisory 2023-5931-01

Red Hat Security Advisory 2023-5931-01 - Updated Satellite 6.13 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include code execution and denial of service vulnerabilities.

Ubuntu Security Notice USN-5968-1

Ubuntu Security Notice 5968-1 - It was discovered that GitPython did not properly sanitize user inputs for remote URLs in the clone command. By injecting a maliciously crafted remote URL, an attacker could possibly use this issue to execute arbitrary commands on the host.

CVE-2022-24439: Snyk Vulnerability Database | Snyk

All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.