Lucene search

Veracode Vulnerability DatabaseVERACODE:45009

HistoryJan 12, 2024 - 6:59 a.m.

Arbitrary Code Execution

2024-01-1206:59:12

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

gitpython vulnerability untrusted repository

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.9%

JSON

gitpython is vulnerable to Arbitrary Code Execution. The vulnerability is due to an untrusted shell search path used to run the git executable, as well as when it runs bash.exe to interpret hooks. If either of these is used, a malicious .exe file may be executed from an untrusted repository.

CPENameOperatorVersion
gitpythonle3.1.40
gitpythonle3.1.40

CPE	Name	Operator	Version
	gitpython	le	3.1.40
	gitpython	le	3.1.40

References

github.com/gitpython-developers/GitPython/commit/ef3192cc414f2fd9978908454f6fd95243784c7f

github.com/gitpython-developers/GitPython/pull/1792

github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.9%

JSON

Related for VERACODE:45009