CVE-2023-40590 (High) detected in GitPython-3.1.29-py3-none-any.whl
mend-bolt-for-github opened this issue · comments
CVE-2023-40590 - High Severity Vulnerability
Vulnerable Library - GitPython-3.1.29-py3-none-any.whl
GitPython is a Python library used to interact with Git repositories
Library home page: https://files.pythonhosted.org/packages/1f/d3/020efb312a7d25fa00e144497a33378d415552e5581be080a99017af6d39/GitPython-3.1.29-py3-none-any.whl
Path to dependency file: /docs/requirements.txt
Path to vulnerable library: /docs/requirements.txt,/docs/requirements.txt,/tmp/ws-scm/java-patterns
Dependency Hierarchy:
- ❌ GitPython-3.1.29-py3-none-any.whl (Vulnerable Library)
Found in base branch: master
Vulnerability Details
GitPython is a python library used to interact with Git repositories. When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment. GitPython defaults to use the git
command, if a user runs GitPython from a repo has a git.exe
or git
executable, that program will be run instead of the one in the user's PATH
. This is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But probably people using GitPython usually run it from the CWD of a repo. An attacker can trick a user to download a repository with a malicious git
executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands. There is no fix currently available for windows users, however there are a few mitigations. 1: Default to an absolute path for the git program on Windows, like C:\\Program Files\\Git\\cmd\\git.EXE
(default git path installation). 2: Require users to set the GIT_PYTHON_GIT_EXECUTABLE
environment variable on Windows systems. 3: Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repo, or set the GIT_PYTHON_GIT_EXECUTABLE
env var to an absolute path. 4: Resolve the executable manually by only looking into the PATH
environment variable.
Publish Date: 2023-08-28
URL: CVE-2023-40590
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-wfm5-v35h-vwf4
Release Date: 2023-08-28
Fix Resolution: GitPython - 3.1.33
Step up your Open Source Security Game with Mend here
👋 Thanks for reporting!