logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-41040 gitpython

Package

Manager: pip
Name: gitpython
Vulnerable Version: >=0 <3.1.37

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00203 pctl0.42616

Details

GitPython blind local file inclusion ### Summary In order to resolve some git references, GitPython reads files from the `.git` directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the `.git` directory. This allows an attacker to make GitPython read any file from the system. ### Details This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175 That code joins the base directory with a user given string without checking if the final path is located outside the base directory. I was able to exploit it from three places, but there may be more code paths that lead to it: https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/repo/base.py#L605 https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/repo/base.py#L620 https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/index/base.py#L1353 ### PoC Running GitPython within any repo should work, here is an example with the GitPython repo. ```python import git r = git.Repo(".") # This will make GitPython read the README.md file from the root of the repo r.commit("../README.md") r.tree("../README.md") r.index.diff("../README.md") # Reading /etc/random # WARNING: this will probably halt your system, run with caution # r.commit("../../../../../../../../../dev/random") ``` ### Impact I wasn't able to show the contents of the files (that's why "blind" local file inclusion), depending on how GitPython is being used, this can be used by an attacker for something _inoffensive_ as checking if a file exits, or cause a DoS by making GitPython read a big/infinite file (like `/dev/random` on Linux systems). ### Possible solutions A solution would be to check that the final path isn't located outside the `repodir` path (maybe even after resolving symlinks). Maybe there could be other checks in place to make sure that the reference names are valid.

Metadata

Created: 2023-08-30T20:09:36Z
Modified: 2024-11-19T19:31:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-cwvm-v4w8-q58c/GHSA-cwvm-v4w8-q58c.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-cwvm-v4w8-q58c
Finding: F063
Auto approve: 1