Untrusted Search Path Affecting gitpython package, versions [,3.1.41)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.05% (23rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-GITPYTHON-6150683
  • published11 Jan 2024
  • disclosed10 Jan 2024
  • creditEliahKagan

Introduced: 10 Jan 2024

CVE-2024-22190  (opens in a new tab)
CWE-426  (opens in a new tab)

How to fix?

Upgrade GitPython to version 3.1.41 or higher.

Overview

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Untrusted Search Path via the use of an untrusted search path on Windows. An attacker can execute arbitrary code by placing a malicious git.exe or bash.exe in the current directory, which may then be executed instead of the legitimate binaries when certain GitPython features are used.

Notes:

  1. This is a completion of the fix for CVE-2023-40590.

  2. When GitPython runs git directly rather than through a shell, the GitPython process performs the path search, and omits the current directory by setting NoDefaultCurrentDirectoryInExePath in its own environment during the Popen call.

  3. GitPython sets the subprocess CWD to the root of a repository's working tree. Using a shell will run a malicious git.exe in an untrusted repository even if GitPython itself is run from a trusted location. This also applies if git.execute is called directly with shell=True or after git.USE_SHELL = True, to run any command.

  4. On Windows, GitPython uses bash.exe to run hooks that appear to be scripts. However, unlike when running git, no steps are taken to avoid finding and running bash.exe in the current directory. While bash.exe is a shell, this is a separate scenario from when git is run using the unrelated Windows cmd.exe shell.

PoC

mkdir testrepo
git init testrepo
cp ... testrepo\git.exe  # Replace "..." with any executable of choice.
python -c "import git; print(git.Repo('testrepo').git.version(shell=True))"

CVSS Scores

version 3.1