CVE-2022-24439 (https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858): All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. There's another reference which is 404: https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py%23L1249 There's an upstream report at URL, no reference to that report in the Snyk report though. No fix yet.
"No fix is planned, and this issue is triaged as 'help wanted'."
Honestly? I hate this horror of a package and I'd love to see it gone. Unfortunately, it has a bunch of revdeps...
3.1.30 is released according to the issue at URL, and is pushed to PyPI.
Thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=c77ebbf690aa9db206075b255adc3de59632bb55 commit c77ebbf690aa9db206075b255adc3de59632bb55 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-11-01 12:20:26 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-11-01 12:21:08 +0000 [ GLSA 202311-01 ] GitPython: Code Execution via Crafted Input Bug: https://bugs.gentoo.org/884623 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202311-01.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)