Lucene search

PRIOn knowledge basePRION:CVE-2022-24439

HistoryDec 06, 2022 - 5:15 a.m.

Design/Logic Flaw

2022-12-0605:15:00

PRIOn knowledge base

www.prio-n.com

remote code execution

user input validation

external calls

git

sanitization

9.4 High

AI Score

Confidence

High

0.011 Low

EPSS

Percentile

84.2%

JSON

All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.

CPENameOperatorVersion
debian_linuxeq10.0
fedoraeq36
fedoraeq37
fedoraeq38
gitpythonlt3.1.30

Name	Operator	Version
debian_linux	eq	10.0
fedora	eq	36
fedora	eq	37
fedora	eq	38
gitpython	lt	3.1.30

References

github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py%23L1249

lists.debian.org/debian-lts-announce/2023/07/msg00024.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X/

security.gentoo.org/glsa/202311-01

security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858