Skip to content

CVE-2023-40590: Untrusted search path on Windows systems leading to arbitrary code execution #1635

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
igirardi opened this issue Aug 30, 2023 · 6 comments · Fixed by #1636
Closed

CVE-2023-40590: Untrusted search path on Windows systems leading to arbitrary code execution #1635

igirardi opened this issue Aug 30, 2023 · 6 comments · Fixed by #1636
Labels
acknowledged help wanted tag.Windows
Milestone
v3.1.33 - Bugfixes

Comments

@igirardi
Copy link

igirardi commented Aug 30, 2023
edited
Loading

This appeared in the CVE additional information here GHSA-wfm5-v35h-vwf4.

I found it reported already. I am reporting it here just in case.
@igirardi igirardi changed the title CVE-2023-40267: Remote Code Execution (RCE) CVE-2023-40590: Remote Code Execution (RCE) Aug 30, 2023
@igirardi igirardi changed the title CVE-2023-40590: Remote Code Execution (RCE) CVE-2023-40590: Untrusted search path on Windows systems leading to arbitrary code execution Aug 30, 2023
@Byron
Copy link
Member

Byron commented Aug 30, 2023

Thanks. This advisory originated in this repository and is thus known: GHSA-wfm5-v35h-vwf4 .

However, it seems hard to communicate using an advisory, so we can keep this issue open to collect comments.

ThunderKey added a commit to ThunderKey/python-tool-competition-2024 that referenced this issue Aug 30, 2023
@ThunderKey
ignore CVE that is not yet fixed in the package
a2c2cd1 
See gitpython-developers/GitPython#1635
@EliahKagan EliahKagan mentioned this issue Aug 30, 2023
Merged
@stsewd
Copy link
Contributor

stsewd commented Aug 30, 2023

BTW, there is another vulnerability that was reported, that is also pending a fix GHSA-cwvm-v4w8-q58c. Looks like a CVE wasn't requested for that one.

@Byron
Copy link
Member

Byron commented Aug 30, 2023

I thought for something less critical, it wouldn't be worth a whole CVE entry.
As collaborator (and author) of the GHSA, are you able to request a CVE? If so, please go ahead if you think there should be one. Otherwise I will do it as per your request. Thanks.

@stsewd
Copy link
Contributor

stsewd commented Aug 30, 2023
edited
Loading

@Byron only maintainers can request CVEs. If this was intentional, I don't mind having no CVE for that advisory 👍, I was suggesting it since it looks like people are more pending on CVEs than plain advisories (or that seems to me). We could also create a new issue linking to the advisory, so people are more aware of it.

@Byron
Copy link
Member

Byron commented Aug 30, 2023

I am happy to follow your advise and requested a CVE. It should increase visibility and with that, the chance for a fix.

@EliahKagan EliahKagan mentioned this issue Aug 31, 2023
Closed
@Byron Byron added this to the v3.1.33 - Bugfixes milestone Sep 1, 2023
@Byron
Copy link
Member

Byron commented Sep 1, 2023

The fix was released here: https://pypi.org/project/GitPython/3.1.33/

This was referenced Sep 13, 2023
Merged
Merged
@EliahKagan EliahKagan mentioned this issue Nov 4, 2023
Merged
@EliahKagan EliahKagan mentioned this issue Jan 16, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
acknowledged help wanted tag.Windows
Milestone
v3.1.33 - Bugfixes
Development

Successfully merging a pull request may close this issue.

Fix CVE-2023-40590 EliahKagan/GitPython
3 participants
@Byron @stsewd @igirardi