Skip to content

GitPython vulnerable to Remote Code Execution due to improper user input validation

High severity GitHub Reviewed Published Dec 6, 2022 to the GitHub Advisory Database • Updated Sep 20, 2024

Package

pip GitPython (pip)

Affected versions

<= 3.1.29

Patched versions

3.1.30

Description

All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.

References

Published by the National Vulnerability Database Dec 6, 2022
Published to the GitHub Advisory Database Dec 6, 2022
Reviewed Dec 6, 2022
Last updated Sep 20, 2024

Severity

High

EPSS score

1.185%
(86th percentile)

CVE ID

CVE-2022-24439

GHSA ID

GHSA-hcpj-qp55-gfph

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.