CVE-2024-22190 - High Severity Vulnerability
Vulnerable Library - GitPython-3.1.32-py3-none-any.whl
GitPython is a Python library used to interact with Git repositories
Library home page: https://files.pythonhosted.org/packages/67/50/742c2fb60989b76ccf7302c7b1d9e26505d7054c24f08cc7ec187faaaea7/GitPython-3.1.32-py3-none-any.whl
Path to dependency file: /docs/requirements.txt
Path to vulnerable library: /docs/requirements.txt
Dependency Hierarchy:
- mkdocs_git_revision_date_localized_plugin-1.2.0-py3-none-any.whl (Root Library)
- ❌ GitPython-3.1.32-py3-none-any.whl (Vulnerable Library)
Found in base branch: master
Vulnerability Details
GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run git, as well as when it runs bash.exe to interpret hooks. If either of those features are used on Windows, a malicious git.exe or bash.exe may be run from an untrusted repository. This issue has been patched in version 3.1.41.
Publish Date: 2024-01-11
URL: CVE-2024-22190
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-22190
Release Date: 2024-01-11
Fix Resolution: GitPython - 3.1.41
Step up your Open Source Security Game with Mend here
CVE-2024-22190 - High Severity Vulnerability
GitPython is a Python library used to interact with Git repositories
Library home page: https://files.pythonhosted.org/packages/67/50/742c2fb60989b76ccf7302c7b1d9e26505d7054c24f08cc7ec187faaaea7/GitPython-3.1.32-py3-none-any.whl
Path to dependency file: /docs/requirements.txt
Path to vulnerable library: /docs/requirements.txt
Dependency Hierarchy:
Found in base branch: master
GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run
git, as well as when it runsbash.exeto interpret hooks. If either of those features are used on Windows, a maliciousgit.exeorbash.exemay be run from an untrusted repository. This issue has been patched in version 3.1.41.Publish Date: 2024-01-11
URL: CVE-2024-22190
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-22190
Release Date: 2024-01-11
Fix Resolution: GitPython - 3.1.41
Step up your Open Source Security Game with Mend here