All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.
Created GitPython tracking bugs for this issue: Affects: epel-all [bug 2155962] Affects: fedora-all [bug 2155963] Affects: openstack-rdo [bug 2155964]
https://github.com/gitpython-developers/GitPython/pull/1518/commits
https://github.com/gitpython-developers/GitPython/pull/1521
This issue has been addressed in the following products: Red Hat Satellite 6.13 for RHEL 8 Via RHSA-2023:5931 https://access.redhat.com/errata/RHSA-2023:5931