gitpython@3.1.38 vulnerabilities

GitPython is a Python library used to interact with Git repositories

latest version

3.1.43
latest non vulnerable version

3.1.43
first published

14 years ago
latest version published

a month ago
licenses detected
- BSD-2-Clause
  [0.1.7,3.1.41)
View gitpython package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the gitpython package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Untrusted Search Path GitPython is a python library used to interact with Git repositories Affected versions of this package are vulnerable to Untrusted Search Path via the use of an untrusted search path on Windows. An attacker can execute arbitrary code by placing a malicious `git.exe` or `bash.exe` in the current directory, which may then be executed instead of the legitimate binaries when certain GitPython features are used. Notes: This is a completion of the fix for CVE-2023-40590. When GitPython runs `git` directly rather than through a shell, the GitPython process performs the path search, and omits the current directory by setting `NoDefaultCurrentDirectoryInExePath` in its own environment during the `Popen` call. GitPython sets the subprocess CWD to the root of a repository's working tree. Using a shell will run a malicious git.exe in an untrusted repository even if GitPython itself is run from a trusted location. This also applies if `git.execute` is called directly with `shell=True` or after `git.USE_SHELL = True`, to run any command. On Windows, GitPython uses bash.exe to run hooks that appear to be scripts. However, unlike when running git, no steps are taken to avoid finding and running bash.exe in the current directory. While bash.exe is a shell, this is a separate scenario from when git is run using the unrelated Windows cmd.exe shell. How to fix Untrusted Search Path? Upgrade `GitPython` to version 3.1.41 or higher.	[,3.1.41)

Untrusted Search Path

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Untrusted Search Path via the use of an untrusted search path on Windows. An attacker can execute arbitrary code by placing a malicious git.exe or bash.exe in the current directory, which may then be executed instead of the legitimate binaries when certain GitPython features are used.

Notes:

This is a completion of the fix for CVE-2023-40590.
When GitPython runs git directly rather than through a shell, the GitPython process performs the path search, and omits the current directory by setting NoDefaultCurrentDirectoryInExePath in its own environment during the Popen call.
GitPython sets the subprocess CWD to the root of a repository's working tree. Using a shell will run a malicious git.exe in an untrusted repository even if GitPython itself is run from a trusted location. This also applies if git.execute is called directly with shell=True or after git.USE_SHELL = True, to run any command.
On Windows, GitPython uses bash.exe to run hooks that appear to be scripts. However, unlike when running git, no steps are taken to avoid finding and running bash.exe in the current directory. While bash.exe is a shell, this is a separate scenario from when git is run using the unrelated Windows cmd.exe shell.

How to fix Untrusted Search Path?

Upgrade GitPython to version 3.1.41 or higher.

[,3.1.41)

Go back to all versions of this package

gitpython@3.1.38 vulnerabilities

GitPython is a Python library used to interact with Git repositories

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities