CVE-2022-24439

2022-12-0600:00:00

ubuntu.com

gitpython

remote code execution

user input validation

malicious url

clone command

vulnerability

external calls

git

sanitization

unix

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.011 Low

EPSS

Percentile

84.2%

JSON

All versions of package gitpython are vulnerable to Remote Code Execution
(RCE) due to improper user input validation, which makes it possible to
inject a maliciously crafted remote URL into the clone command. Exploiting
this vulnerability is possible because the library makes external calls to
git without sufficient sanitization of input arguments.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchpython-git< 2.1.8-1ubuntu0.1~esm1UNKNOWN
ubuntu20.04noarchpython-git< 3.0.7-1ubuntu0.1~esm1UNKNOWN
ubuntu22.04noarchpython-git< 3.1.24-1ubuntu0.1~esm1UNKNOWN
ubuntu22.10noarchpython-git< 3.1.27-1ubuntu0.1UNKNOWN
ubuntu23.10noarchpython-git< anyUNKNOWN
ubuntu24.04noarchpython-git< anyUNKNOWN
ubuntu14.04noarchpython-git< 0.3.2~RC1-3ubuntu0.1~esm1UNKNOWN
ubuntu16.04noarchpython-git< 1.0.1+git137-gc8b8379-2.1ubuntu0.1~esm1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	python-git	< 2.1.8-1ubuntu0.1~esm1	UNKNOWN
ubuntu	20.04	noarch	python-git	< 3.0.7-1ubuntu0.1~esm1	UNKNOWN
ubuntu	22.04	noarch	python-git	< 3.1.24-1ubuntu0.1~esm1	UNKNOWN
ubuntu	22.10	noarch	python-git	< 3.1.27-1ubuntu0.1	UNKNOWN
ubuntu	23.10	noarch	python-git	< any	UNKNOWN
ubuntu	24.04	noarch	python-git	< any	UNKNOWN
ubuntu	14.04	noarch	python-git	< 0.3.2~RC1-3ubuntu0.1~esm1	UNKNOWN
ubuntu	16.04	noarch	python-git	< 1.0.1+git137-gc8b8379-2.1ubuntu0.1~esm1	UNKNOWN