Bug 2151583 (CVE-2022-24439)
| Summary: | CVE-2022-24439 GitPython: improper user input validation leads into a RCE | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Borja Tarraso <btarraso> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adudiak, bcoca, davidn, eglynn, epacific, jcammara, jhardy, jjoyce, jneedle, jobarker, kshier, lhh, mabashia, mburns, mgarciac, nobody, simaishi, smcdonal, spower, stcannon, teagle, tfister, yguenane, ytale, zsadeh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A remote code execution vulnerability exists in Git-python. By injecting a malicious URL into the clone command, an attacker can exploit this vulnerability as the library makes external calls to git without any input sanitization. This issue leads to complete system compromise.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2155815, 2155816, 2155817, 2155818, 2155962, 2155963, 2155964, 2163464, 2238375 | ||
| Bug Blocks: | 2155779 | ||
|
Description
Borja Tarraso
2022-12-07 14:47:27 UTC
Created GitPython tracking bugs for this issue: Affects: epel-all [bug 2155962] Affects: fedora-all [bug 2155963] Affects: openstack-rdo [bug 2155964] This issue has been addressed in the following products: Red Hat Satellite 6.13 for RHEL 8 Via RHSA-2023:5931 https://access.redhat.com/errata/RHSA-2023:5931 |