PT-2023-4724 · Pypi+6 · Gitpython+6

Beuc

Publicado

2023-07-25

Atualizado

2026-04-26

CVE-2023-40267

CVSS v2.0

Crítica

Vetor

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions GitPython versions prior to 3.1.32

Description The issue is related to errors in processing input data in the GitPython library, which can allow a remote attacker to execute arbitrary code by injecting a specially crafted URL into the clone command. This is due to improper validation of user input, making it possible to inject a maliciously crafted remote URL into the clone command. The library makes external calls to git without sufficient sanitization of input arguments.

Recommendations For versions prior to 3.1.32, update to version 3.1.32 or later to resolve the issue. As a temporary workaround, consider restricting the use of the clone and clone from functions until a patch is available. Avoid using insecure non-multi options in the clone and clone from commands to minimize the risk of exploitation.

Correção

RCE

OS Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20CWE-78

Identificadores relacionados

ALT-PU-2023-8416

BDU:2023-05150

CVE-2023-40267

DLA-3502-1

DLA-3939-1

GHSA-PR76-5CM5-W9CJ

OESA-2023-1529

OPENSUSE-SU-2024:13146-1

PYSEC-2023-137

RHSA-2023:4971

RHSA-2023:4991

RHSA-2023:5931

RHSA-2023:6818

RLSA-2023:6818

USN-6326-1

Produtos afetados

Alt Linux

Astra Linux

Gitpython

Linuxmint

Red Os

Rocky Linux

Ubuntu

PT-2023-4724 · Pypi+6 · Gitpython+6

CVE-2023-40267

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 36