CVE-2024-22190

2024-01-1102:15:48

CWE-426

GitHub_M

web.nvd.nist.gov

gitpython

cve-2024-22190

incomplete fix

cve-2023-40590

untrusted search path

windows

v3.1.41

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.5

Confidence

High

EPSS

0.001

Percentile

21.5%

JSON

GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run git, as well as when it runs bash.exe to interpret hooks. If either of those features are used on Windows, a malicious git.exe or bash.exe may be run from an untrusted repository. This issue has been patched in version 3.1.41.

Affected configurations

Nvd

Vulners

Node

gitpython_projectgitpythonRange<3.1.41python

VendorProductVersionCPE
gitpython_projectgitpython*cpe:2.3:a:gitpython_project:gitpython:*:*:*:*:*:python:*:*

Vendor	Product	Version	CPE
gitpython_project	gitpython	*	cpe:2.3:a:gitpython_project:gitpython::::::python::*

CNA Affected

[
  {
    "vendor": "gitpython-developers",
    "product": "GitPython",
    "versions": [
      {
        "version": "< 3.1.41",
        "status": "affected"
      }
    ]
  }
]