All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.
There's another reference which is 404: https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py%23L1249
There's an upstream report at URL, no reference to that report in the
Snyk report though. No fix yet.
"No fix is planned, and this issue is triaged as 'help wanted'."
Honestly? I hate this horror of a package and I'd love to see it gone. Unfortunately, it has a bunch of revdeps...
3.1.30 is released according to the issue at URL, and is pushed to PyPI.
The bug has been referenced in the following commit(s):
Author: GLSAMaker <email@example.com>
AuthorDate: 2023-11-01 12:20:26 +0000
Commit: Hans de Graaff <firstname.lastname@example.org>
CommitDate: 2023-11-01 12:21:08 +0000
[ GLSA 202311-01 ] GitPython: Code Execution via Crafted Input
Signed-off-by: GLSAMaker <email@example.com>
Signed-off-by: Hans de Graaff <firstname.lastname@example.org>
glsa-202311-01.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 42 insertions(+)