Bug 2247040 (CVE-2023-41040)
Summary: | CVE-2023-41040 GitPython: Blind local file inclusion | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | adudiak, bbuckingham, bcourt, davidn, eglynn, ehelms, epacific, jburrell, jcammara, jhardy, jjoyce, jmitchel, jneedle, jobarker, jsamir, jschluet, jsherril, jtanner, jweng, kaycoth, kshier, lhh, luizcosta, lzap, mabashia, mburns, mgarciac, mhulan, nmoumoul, nobody, nweather, orabin, osapryki, pcreech, pgrist, psegedy, rbobbitt, rchan, simaishi, smcdonal, stcannon, sthirugn, teagle, tfister, vkrizan, yguenane, zsadeh |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | GitPython 3.1.37 | Doc Type: | If docs needed, set a value |
Doc Text: |
A path traversal vulnerability was found in GitPython due to an input validation error when reading from the ".git" directory. This issue may allow a remote attacker to prepare a specially crafted ".git" file with directory traversal characters in file names and force the application to read these files from the local system, which can result in checking for the existence of a specific file on the system or allow a denial of service (DoS) attack.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2247049, 2247050, 2248699, 2248700, 2247046, 2247047, 2247048, 2248698, 2248701, 2248702, 2248734, 2249613 | ||
Bug Blocks: | 2247051 |
Description
Pedro Sampaio
2023-10-30 12:42:57 UTC
Created GitPython tracking bugs for this issue: Affects: epel-all [bug 2248699] Affects: fedora-all [bug 2248698] Affects: openstack-rdo [bug 2248700] Created centpkg tracking bugs for this issue: Affects: epel-7 [bug 2248701] Created ndiscover-exo-2-fonts tracking bugs for this issue: Affects: fedora-37 [bug 2248702] This issue has been addressed in the following products: Red Hat Satellite 6.14 for RHEL 8 Via RHSA-2023:7851 https://access.redhat.com/errata/RHSA-2023:7851 This issue has been addressed in the following products: Red Hat OpenStack Platform 17.1 Via RHSA-2024:0215 https://access.redhat.com/errata/RHSA-2024:0215 This issue has been addressed in the following products: Red Hat OpenStack Platform 17.1 Via RHSA-2024:0190 https://access.redhat.com/errata/RHSA-2024:0190 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 8 Red Hat Ansible Automation Platform 2.4 for RHEL 9 Via RHSA-2024:0322 https://access.redhat.com/errata/RHSA-2024:0322 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 9 Red Hat Ansible Automation Platform 2.4 for RHEL 8 Via RHSA-2024:1640 https://access.redhat.com/errata/RHSA-2024:1640 |