Workflow

PyPi: Gitpython

CVE-2023-40590

Safety vulnerability ID: 60789

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Aug 28, 2023 Updated at Mar 31, 2024
Scan your Python projects for vulnerabilities →

Advisory

Gitpython 3.1.33 includes a fix for CVE-2023-40590: Untrusted search path on Windows systems leading to arbitrary code execution.
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-wfm5-v35h-vwf4

Affected package

gitpython

Latest version: 3.1.43

GitPython is a Python library used to interact with Git repositories

Affected versions

Fixed versions

Vulnerability changelog

GitPython is a python library used to interact with Git repositories. When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment. GitPython defaults to use the `git` command, if a user runs GitPython from a repo has a `git.exe` or `git` executable, that program will be run instead of the one in the user's `PATH`. This is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But probably people using GitPython usually run it from the CWD of a repo. An attacker can trick a user to download a repository with a malicious `git` executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands. There is no fix currently available for windows users, however there are a few mitigations. 1: Default to an absolute path for the git program on Windows, like `C:\\Program Files\\Git\\cmd\\git.EXE` (default git path installation). 2: Require users to set the `GIT_PYTHON_GIT_EXECUTABLE` environment variable on Windows systems. 3: Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repo, or set the `GIT_PYTHON_GIT_EXECUTABLE` env var to an absolute path. 4: Resolve the executable manually by only looking into the `PATH` environment variable. See CVE-2023-40590.


MISC:https://docs.python.org/3/library/subprocess.html#popen-constructor: https://docs.python.org/3/library/subprocess.html#popen-constructor
MISC:https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-wfm5-v35h-vwf4: https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-wfm5-v35h-vwf4

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.8

CVSS v3 Details

HIGH 7.8
Attack Vector (AV)
LOCAL
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
REQUIRED
Scope (S)
UNCHANGED
Confidentiality Impact (C)
HIGH
Integrity Impact (I)
HIGH
Availability Availability (A)
HIGH