Untrusted search path under some conditions on Windows allows arbitrary code execution
CVE-2024-22190

7.8HIGH

Key Information:

Vendor

gitpython-developers

Status
GitPython
Vendor
CVE Published:
11 January 2024

What is CVE-2024-22190?

GitPython, a popular Python library used for interacting with Git repositories, contains an issue related to an insecure search path on Windows systems. This vulnerability arises when GitPython relies on the shell to execute git commands or when it triggers bash.exe to interpret Git hooks. In both instances, there exists a risk that a maliciously crafted git.exe or bash.exe could be executed from an untrusted repository. This issue stems from an incomplete fix for a prior vulnerability. The vulnerability has been addressed and patched in GitPython version 3.1.41, emphasizing the importance of maintaining updated software to mitigate security risks.

Affected Version(s)

GitPython < 3.1.41

References

https://github.com/gitpython-developers/GitPython/securit...
x_refsource_CONFIRM
https://github.com/gitpython-developers/GitPython/pull/1792
x_refsource_MISC
https://github.com/gitpython-developers/GitPython/commit/...
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.