CVE-2022-24439 – gitpython

Package

Manager: pip
Name: gitpython
Vulnerable Version: >=0 <3.1.30

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.69549 pctl0.98603

Details

GitPython vulnerable to Remote Code Execution due to improper user input validation All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.

Metadata

Created: 2022-12-06T06:30:17Z
Modified: 2024-11-18T16:26:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-hcpj-qp55-gfph/GHSA-hcpj-qp55-gfph.json
CWE IDs: ["CWE-20", "CWE-94"]
Alternative ID: GHSA-hcpj-qp55-gfph
Finding: F184
Auto approve: 1