Product Research Enterprise Plans Docs

PyPi: Readmeai

CVE-2023-40590

Transitive

Safety vulnerability ID: 61146

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Aug 28, 2023 Updated at Nov 29, 2024

Scan your Python projects for vulnerabilities →

Advisory

Readmeai 0.3.16 updates its dependency 'gitpython' to v3.1.35 to include a security fix.

Affected package

readmeai

Latest version: 0.5.99.post5

Automated README file generator, powered by AI.

Affected versions

Fixed versions

Vulnerability changelog

⚠️ Release v0.0.7 addresses a security vulnerability cloning git repositories via the *GitPython* package on Windows systems. This vulnerability could allow arbitrary command execution if code is run from a directory containing a malicious `git.exe` or `git` executable.

🔐 Security Fixes
*Arbitrary Command Execution Mitigation*

- Dependabot Alert [3](https://github.com/eli64s/readme-ai/security/dependabot/3): GitPython untrusted search path on Windows systems leading to arbitrary code execution.
- The previous git clone implementation sets the `env` argument to the path of the git executable in the current working directory. This poses a security risk as the code is susceptible to running arbitrary `git` commands from a malicious repository.
python
git.Repo.clone_from(repo_path, temp_dir, depth=1)

- Updated the `env` argument to explicitly set the absolute path of the git executable. This ensures that the git executable used to clone the repository is the one thats installed in the system path, and not the one located in the current working directory.
python
git.Repo.clone_from(repo_path, temp_dir, depth=1, env=git_exec_path)

🚀 New Features and Enhancements

*Code Modularity*

- Introduced three methods to help isolate the Git executable discovery and validation logic.
- `find_git_executable()`: Determines the absolute path of the Git executable.
- `validate_git_executable()`: Validates the found Git executable path.
- `validate_file_permissions()`: Validates the file permissions of the cloned repository.

*File Permission Checks*

- For Unix systems, added checks to ensure the permissions of the cloned repository are set to `0o700`. This is a best practice for secure temporary directories and prevents unauthorized users from accessing the directory.

⚠️ These updates aim to mitigate the vulnerbility raised in Dependabot alert [3](https://github.com/eli64s/readme-ai/security/dependabot/3). Users are advised to update *readme-ai* to the latest version, i.e pip install --upgrade readmeai. Please be mindful of this vulnerability and use caution when cloning repositories from untrusted sources, especially for Windows users.

---

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40590

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.8

CVSS v3 Details

HIGH 7.8

Attack Vector (AV): LOCAL
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): HIGH
Availability Availability (A): HIGH