Все бюллетени/p10/ALT-PU-2026-8101-2
ALT-PU-2026-8101-2

Обновление пакета python3-module-GitPython в ветке p10

Версия3.1.50-alt0.p10.1
Задание#417796
Опубликовано2026-05-22
Макс. серьёзностьCRITICAL
Серьёзность:

Закрытые проблемы (9)

BDU:2026-06621
HIGH8.8

Уязвимость функций Repo.clone_from(), Remote.fetch(), Remote.pull() или Remote.push() библиотеки Python для взаимодействия с git-репозиториями GitPython, позволяющая нарушителю выполнить произвольные команды

Опубликовано: 2026-05-12
CVSS 3.xВЫСОКАЯ 8.8
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0КРИТИЧЕСКАЯ 9.0
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:C
Ссылки
CVE-2026-42215
HIGH8.8

GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs upload_pack and receive_pack bypass that check. If an application passes attacker-controlled kwargs into Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push(), this leads to arbitrary command execution even when allow_unsafe_options is left at its default value of False. This issue has been patched in version 3.1.47.

Опубликовано: 2026-05-07Изменено: 2026-06-17
CVSS 3.xВЫСОКАЯ 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Ссылки
CVE-2026-42284
CRITICAL9.8

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config core.hooksPath=/x" passes validation (starts with --branch), but after split becomes ["--branch", "main", "--config", "core.hooksPath=/x"]. Git applies the config and executes attacker hooks during clone. This issue has been patched in version 3.1.47.

Опубликовано: 2026-05-07Изменено: 2026-06-17
CVSS 3.xКРИТИЧЕСКАЯ 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Ссылки
CVE-2026-44243
HIGH7.8

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory via insufficient validation of reference paths in reference creation, rename, and delete operations. This issue has been patched in version 3.1.48.

Опубликовано: 2026-05-07Изменено: 2026-06-17
CVSS 3.xВЫСОКАЯ 7.1
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CVSS 4.0ВЫСОКАЯ 7.8
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ссылки
CVE-2026-44244
HIGH7.8

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines (e.g. \n becomes \n\t), but Git still accepts an indented [core] stanza as a section header — so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49.

Опубликовано: 2026-05-07Изменено: 2026-06-17
CVSS 3.xВЫСОКАЯ 7.8
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Ссылки
GHSA-7545-fcxq-7j24
HIGH7.8

GitPython reference APIs has a path traversal vulnerability that allows arbitrary file write and delete outside the repository

Опубликовано: 2026-05-06Изменено: 2026-05-08
CVSS 3.x
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CVSS 4.0ВЫСОКАЯ 7.8
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Ссылки
GHSA-rpm5-65cw-6hj4
HIGH8.8

GitPython has Command Injection via Git options bypass

Опубликовано: 2026-04-25Изменено: 2026-05-08
CVSS 3.xВЫСОКАЯ 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Ссылки
GHSA-v87r-6q3f-2j67
HIGH7.8

GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath

Опубликовано: 2026-05-06Изменено: 2026-05-08
CVSS 3.xВЫСОКАЯ 7.8
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Ссылки
GHSA-x2qx-6953-8485
HIGH8.1

GitPython: Unsafe option check validates multi_options before shlex.split transformation

Опубликовано: 2026-04-25Изменено: 2026-05-13
CVSS 3.xВЫСОКАЯ 8.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Ссылки