gitpython@0.3.0-beta2 vulnerabilities

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Untrusted Search Path via the use of an untrusted search path on Windows. An attacker can execute arbitrary code by placing a malicious git.exe or bash.exe in the current directory, which may then be executed instead of the legitimate binaries when certain GitPython features are used.

Notes:

1. This is a completion of the fix for CVE-2023-40590.

2. When GitPython runs git directly rather than through a shell, the GitPython process performs the path search, and omits the current directory by setting NoDefaultCurrentDirectoryInExePath in its own environment during the Popen call.

3. GitPython sets the subprocess CWD to the root of a repository's working tree. Using a shell will run a malicious git.exe in an untrusted repository even if GitPython itself is run from a trusted location. This also applies if git.execute is called directly with shell=True or after git.USE_SHELL = True, to run any command.

4. On Windows, GitPython uses bash.exe to run hooks that appear to be scripts. However, unlike when running git, no steps are taken to avoid finding and running bash.exe in the current directory. While bash.exe is a shell, this is a separate scenario from when git is run using the unrelated Windows cmd.exe shell.

Upgrade GitPython to version 3.1.41 or higher.

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Directory Traversal due to improper validation of the final path. Although this vulnerability cannot be used to read the contents of files, it could potentially be used to trigger a denial of service for the program.

Upgrade GitPython to version 3.1.35 or higher.

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Untrusted Search Path allowing an attacker to run any arbitrary commands through a downloaded repository with a malicious git executable.

Note: This vulnerability affects only Windows systems.

Upgrade GitPython to version 3.1.33 or higher.

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to an improper fix for CVE-2022-24439, which allows insecure non-multi options in clone and clone_from.

Upgrade GitPython to version 3.1.32 or higher.

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. This is only relevant when enabling the ext transport protocol.

Upgrade GitPython to version 3.1.30 or higher.

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when a user controls the input passed to the pattern matching function.

Upgrade GitPython to version 3.1.27 or higher.