CVE-2023-40590

CVSS v4.0

8.6

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions GitPython (affected versions not specified)

Description The issue is related to how Python interacts with Windows systems, specifically when resolving a program. GitPython defaults to use the git command, and if a user runs it from a repository with a git.exe or git executable, that program will be run instead of the one in the user's PATH. This allows an attacker to trick a user into downloading a repository with a malicious git executable, enabling the attacker to run arbitrary commands. The problem is more significant on Windows systems, as Linux and other OS are not affected.

Recommendations

Default to an absolute path for the git program on Windows, like C:Program FilesGitcmdgit.EXE (default git path installation).
Require users to set the GIT PYTHON GIT EXECUTABLE environment variable on Windows systems.
Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repository, or set the GIT PYTHON GIT EXECUTABLE env var to an absolute path.
Resolve the executable manually by only looking into the PATH environment variable. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Untrusted Search Path

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-426

Related Identifiers

ALT-PU-2023-6832

ALT-PU-2023-8078

BDU:2023-05185

CVE-2023-40590

GHSA-WFM5-V35H-VWF4

OPENSUSE-SU-2024:13207-1

PYSEC-2023-161

Affected Products

Alt Linux

Gitpython

CVE-2023-40590

Weakness Enumeration

Related Identifiers

Affected Products

References · 29