Описание
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.
A remote code execution vulnerability exists in Git-python. By injecting a malicious URL into the clone command, an attacker can exploit this vulnerability as the library makes external calls to git without any input sanitization. This issue leads to complete system compromise.
Отчет
Across all supported releases of Red Hat OpenStack Platform the usage of a compromised GitPython API (clone_from()) is quite limited. The only people capable of exploiting this vulnerability are system administrators. For this reason, the impact has been downgraded to medium. The impact to Red Hat OpenStack Platform 17 is rated Low as the compromised function is not in use.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 2 | python-gitpython | Affected | ||
| Red Hat OpenStack Platform 13 (Queens) | GitPython | Affected | ||
| Red Hat OpenStack Platform 16.1 | GitPython | Affected | ||
| Red Hat OpenStack Platform 16.2 | GitPython | Affected | ||
| Red Hat OpenStack Platform 17.0 | GitPython | Affected | ||
| Red Hat Satellite 6.13 for RHEL 8 | python-gitpython | Fixed | RHSA-2023:5931 | 19.10.2023 |
| Red Hat Satellite 6.13 for RHEL 8 | python-gitpython | Fixed | RHSA-2023:5931 | 19.10.2023 |
Показывать по
Дополнительная информация
Статус:
EPSS
9.8 Critical
CVSS3
Связанные уязвимости
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.
All versions of package gitpython are vulnerable to Remote Code Execut ...
GitPython vulnerable to Remote Code Execution due to improper user input validation
Уязвимость библиотеки Python для взаимодействия с git-репозиториями gitpython, связанная с неправильной проверкой ввода, позволяющая нарушителю внедрить вредоносный удаленный URL-адрес в команду клонирования
EPSS
9.8 Critical
CVSS3