All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
09 Jan 2024, 03:21
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
|
First Time |
Debian
Debian debian Linux |
|
CPE | cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
|
References | () https://lists.debian.org/debian-lts-announce/2023/07/msg00024.html - Mailing List, Third Party Advisory | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH/ - Mailing List, Third Party Advisory | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN/ - Mailing List, Third Party Advisory | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R/ - Mailing List, Third Party Advisory | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X/ - Mailing List, Third Party Advisory | |
References | () https://security.gentoo.org/glsa/202311-01 - Third Party Advisory |
07 Nov 2023, 03:44
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
01 Nov 2023, 14:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
25 Aug 2023, 03:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
22 Aug 2023, 19:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
25 Jul 2023, 12:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
06 Feb 2023, 22:17
Type | Values Removed | Values Added |
---|---|---|
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN/ - Mailing List, Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X/ - Mailing List, Third Party Advisory | |
First Time |
Fedoraproject
Fedoraproject fedora |
|
CPE | cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* cpe:2.3:a:gitpython_project:gitpython:*:*:*:*:*:python:*:* |
07 Jan 2023, 03:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
04 Jan 2023, 03:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
07 Dec 2022, 16:16
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py%23L1249 - Broken Link | |
References | (CONFIRM) https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858 - Exploit, Third Party Advisory | |
CPE | cpe:2.3:a:gitpython_project:gitpython:-:*:*:*:*:python:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
First Time |
Gitpython Project
Gitpython Project gitpython |
|
CWE | CWE-20 |
06 Dec 2022, 12:09
Type | Values Removed | Values Added |
---|---|---|
Summary | All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. |
06 Dec 2022, 05:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-12-06 05:15
Updated : 2024-01-09 03:21
NVD link : CVE-2022-24439
Mitre link : CVE-2022-24439
CVE.ORG link : CVE-2022-24439
JSON object : View
Products Affected
fedoraproject
- fedora
debian
- debian_linux
gitpython_project
- gitpython
CWE
CWE-20
Improper Input Validation