2151583 – (CVE-2022-24439) CVE-2022-24439 GitPython: improper user input validation leads into a RCE

Bug 2151583 (CVE-2022-24439) - CVE-2022-24439 GitPython: improper user input validation leads into a RCE

Summary: CVE-2022-24439 GitPython: improper user input validation leads into a RCE

Keywords:
Status:	NEW
Alias:	CVE-2022-24439
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2155815 2155816 2155817 2155818 2155962 2155963 2155964 2163464 2238375
Blocks:	2155779
TreeView+	depends on / blocked

Reported:	2022-12-07 14:47 UTC by Borja Tarraso
Modified:	2025-04-01 08:28 UTC (History)
CC List:	25 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
OpenStack gerrit	869611	0	None	MERGED	Bump GitPython to 3.1.30	2023-01-10 13:17:31 UTC
Red Hat Product Errata	RHSA-2023:5931	0	None	None	None	2023-10-19 13:13:04 UTC

Description Borja Tarraso 2022-12-07 14:47:27 UTC

All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.

Comment 2 Avinash Hanwate 2022-12-23 03:21:52 UTC

Created GitPython tracking bugs for this issue:

Affects: epel-all [bug 2155962]
Affects: fedora-all [bug 2155963]
Affects: openstack-rdo [bug 2155964]

Comment 4 Lon Hohberger 2023-01-03 17:19:02 UTC

https://github.com/gitpython-developers/GitPython/pull/1518/commits

Comment 5 Lon Hohberger 2023-01-06 22:11:31 UTC

https://github.com/gitpython-developers/GitPython/pull/1521

Comment 12 errata-xmlrpc 2023-10-19 13:13:02 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.13 for RHEL 8

Via RHSA-2023:5931 https://access.redhat.com/errata/RHSA-2023:5931

Note You need to log in before you can comment on or make changes to this bug.

adudiak
bcoca
davidn
eglynn
epacific
jcammara
jhardy
jjoyce
jneedle
jobarker
kshier
lhh
mabashia
mburns
mgarciac
nobody
simaishi
smcdonal
spower
stcannon
teagle
tfister
yguenane
ytale
zsadeh