Untrusted search path on Windows systems leading to arbitrary code execution
CVE-2023-40590

7.8HIGH

Key Information:

Vendor: Gitpython-developers
Status: Gitpython
Vendor: CVE Published:; 28 August 2023

🔔 Create Gitpython-developers Vulnerability Alert

What is CVE-2023-40590?

A vulnerability in the GitPython library enables arbitrary command execution on Windows OS due to the way Python resolves executables. When Python runs GitPython, it searches for the current working directory first, before checking the PATH environment variable. If a malicious repository contains a 'git' executable, executing GitPython from that directory could lead to unintentional execution of arbitrary commands, posing a threat to user systems. To mitigate this risk, users are advised to define an absolute path for the 'git' executable via the GIT_PYTHON_GIT_EXECUTABLE environment variable, avoid running GitPython from untrusted repositories, and monitor GitPython documentation for further guidance. Temporary workarounds offer limited relief until a permanent solution is found.

Affected Version(s)

GitPython <= 3.1.32

References

https://github.com/gitpython-developers/GitPython/securit...

x_refsource_CONFIRM

https://docs.python.org/3/library/subprocess.html#popen-c...

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 28, 2023
Vulnerability Reserved
Aug 16, 2023

CVE-2023-40590 Data

JSON