ALT-PU-2023-8415-1
Package python3-module-GitPython updated to version 3.1.30-alt1 for branch sisyphus in task 313776.
Closed vulnerabilities
Published: 2022-12-06
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2022-24439
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.
Severity: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py%23L1249
- https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py%23L1249
- [debian-lts-announce] 20230725 [SECURITY] [DLA 3502-1] python-git security update
- [debian-lts-announce] 20230725 [SECURITY] [DLA 3502-1] python-git security update
- FEDORA-2023-26116901d9
- FEDORA-2023-26116901d9
- FEDORA-2022-8146a727a8
- FEDORA-2022-8146a727a8
- FEDORA-2023-1ec4e542f9
- FEDORA-2023-1ec4e542f9
- FEDORA-2022-ce7369b9ec
- FEDORA-2022-ce7369b9ec
- GLSA-202311-01
- GLSA-202311-01
- https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858
- https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858