CVE-2022-24439

Опубликовано: 06 дек. 2022

Источник: nvd

CVSS3: 8.1

CVSS3: 9.8

EPSS Высокий

Описание

All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.

Ссылки

https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py%23L1249
Broken Link
https://lists.debian.org/debian-lts-announce/2023/07/msg00024.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH/
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN/
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R/
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X/
Mailing List
Third Party Advisory
https://security.gentoo.org/glsa/202311-01
Third Party Advisory
https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858
Exploit
Third Party Advisory
https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py%23L1249
Broken Link
https://lists.debian.org/debian-lts-announce/2023/07/msg00024.html
Mailing List
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/10/msg00030.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH/
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN/
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R/
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X/
Mailing List
Third Party Advisory
https://security.gentoo.org/glsa/202311-01
Third Party Advisory
https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:gitpython_project:gitpython:*:*:*:*:*:python:*:*

Версия до 3.1.30 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

Конфигурация 3

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

EPSS

Процентиль: 99%

0.7015

Высокий

8.1 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-20

Связанные уязвимости

CVE-2022-24439

CVSS3: 8.1

ubuntu

около 3 лет назад

CVE-2022-24439

CVSS3: 9.8

redhat

около 3 лет назад

CVE-2022-24439

CVSS3: 8.1

debian

около 3 лет назад

All versions of package gitpython are vulnerable to Remote Code Execut ...

GHSA-hcpj-qp55-gfph

CVSS3: 8.1

github

около 3 лет назад

GitPython vulnerable to Remote Code Execution due to improper user input validation

BDU:2024-04480

CVSS3: 9.8

fstec

около 3 лет назад

Уязвимость библиотеки Python для взаимодействия с git-репозиториями gitpython, связанная с неправильной проверкой ввода, позволяющая нарушителю внедрить вредоносный удаленный URL-адрес в команду клонирования

EPSS

Процентиль: 99%

0.7015

Высокий

8.1 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-20