Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

CVE-2023-40590 (High) detected in GitPython-3.1.29-py3-none-any.whl #3366

Open
mend-bolt-for-github bot opened this issue Dec 26, 2023 · 1 comment
Open

CVE-2023-40590 (High) detected in GitPython-3.1.29-py3-none-any.whl #3366

mend-bolt-for-github bot opened this issue Dec 26, 2023 · 1 comment
Assignees
@AlexRogalskiy
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend needs/triage

Comments

@mend-bolt-for-github
Copy link

mend-bolt-for-github bot commented Dec 26, 2023
edited
Loading

CVE-2023-40590 - High Severity Vulnerability

Vulnerable Library - GitPython-3.1.29-py3-none-any.whl

GitPython is a Python library used to interact with Git repositories

Library home page: https://files.pythonhosted.org/packages/1f/d3/020efb312a7d25fa00e144497a33378d415552e5581be080a99017af6d39/GitPython-3.1.29-py3-none-any.whl

Path to dependency file: /docs/requirements.txt

Path to vulnerable library: /docs/requirements.txt,/docs/requirements.txt,/tmp/ws-scm/java-patterns

Dependency Hierarchy:

  • GitPython-3.1.29-py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

GitPython is a python library used to interact with Git repositories. When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment. GitPython defaults to use the git command, if a user runs GitPython from a repo has a git.exe or git executable, that program will be run instead of the one in the user's PATH. This is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But probably people using GitPython usually run it from the CWD of a repo. An attacker can trick a user to download a repository with a malicious git executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands. There is no fix currently available for windows users, however there are a few mitigations. 1: Default to an absolute path for the git program on Windows, like C:\\Program Files\\Git\\cmd\\git.EXE (default git path installation). 2: Require users to set the GIT_PYTHON_GIT_EXECUTABLE environment variable on Windows systems. 3: Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repo, or set the GIT_PYTHON_GIT_EXECUTABLE env var to an absolute path. 4: Resolve the executable manually by only looking into the PATH environment variable.

Publish Date: 2023-08-28

URL: CVE-2023-40590

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wfm5-v35h-vwf4

Release Date: 2023-08-28

Fix Resolution: GitPython - 3.1.33

Step up your Open Source Security Game with Mend here
@mend-bolt-for-github mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Dec 26, 2023
@github-actions GitHub Actions
Copy link
Contributor

👋 Thanks for reporting!

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@AlexRogalskiy AlexRogalskiy

Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend needs/triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AlexRogalskiy