CVE-2023-40267

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions GitPython versions prior to 3.1.32

Description The issue is related to errors in processing input data in the GitPython library, which can allow a remote attacker to execute arbitrary code by injecting a specially crafted URL into the clone command. This is due to improper validation of user input, making it possible to inject a maliciously crafted remote URL into the clone command. The library makes external calls to git without sufficient sanitization of input arguments.

Recommendations For versions prior to 3.1.32, update to version 3.1.32 or later to resolve the issue. As a temporary workaround, consider restricting the use of the clone and clone from functions until a patch is available. Avoid using insecure non-multi options in the clone and clone from commands to minimize the risk of exploitation.

Fix

RCE

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-78

Related Identifiers

ALT-PU-2023-8416

BDU:2023-05150

CVE-2023-40267

DLA-3502-1

DLA-3939-1

GHSA-PR76-5CM5-W9CJ

OESA-2023-1529

OPENSUSE-SU-2024:13146-1

PYSEC-2023-137

RHSA-2023:4971

RHSA-2023:4991

RHSA-2023:5931

RHSA-2023:6818

RLSA-2023:6818

USN-6326-1

Affected Products

Alt Linux

Astra Linux

Gitpython

Linuxmint

Red Os

Rocky Linux

Ubuntu

CVE-2023-40267

Weakness Enumeration

Related Identifiers

Affected Products

References · 36