{ "schema_version": "1.4.0", "id": "GHSA-hcpj-qp55-gfph", "modified": "2024-11-18T16:26:28Z", "published": "2022-12-06T06:30:17Z", "aliases": [ "CVE-2022-24439" ], "summary": "GitPython vulnerable to Remote Code Execution due to improper user input validation", "details": "All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ { "package": { "ecosystem": "PyPI", "name": "GitPython" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.1.30" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 3.1.29" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24439" }, { "type": "WEB", "url": "https://github.com/gitpython-developers/GitPython/issues/1515" }, { "type": "WEB", "url": "https://github.com/gitpython-developers/GitPython/commit/2625ed9fc074091c531c27ffcba7902771130261" }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202311-01" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00024.html" }, { "type": "WEB", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2022-42992.yaml" }, { "type": "WEB", "url": "https://github.com/gitpython-developers/GitPython/releases/tag/3.1.30" }, { "type": "WEB", "url": "https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py%23L1249" }, { "type": "WEB", "url": "https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py#L1249" }, { "type": "PACKAGE", "url": "https://github.com/gitpython-developers/GitPython" } ], "database_specific": { "cwe_ids": [ "CWE-20", "CWE-94" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2022-12-06T14:33:52Z", "nvd_published_at": "2022-12-06T05:15:00Z" } }