Bug 2151583 (CVE-2022-24439) - CVE-2022-24439 GitPython: improper user input validation leads into a RCE
Summary: CVE-2022-24439 GitPython: improper user input validation leads into a RCE
Status: NEW
Alias: CVE-2022-24439
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody
QA Contact:
Depends On: 2155964 2163464 2155815 2155816 2155817 2155818 2155962 2155963 2238375
Blocks: 2155779
TreeView+ depends on / blocked
Reported: 2022-12-07 14:47 UTC by Borja Tarraso
Modified: 2023-10-19 13:13 UTC (History)
26 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A remote code execution vulnerability exists in Git-python. By injecting a malicious URL into the clone command, an attacker can exploit this vulnerability as the library makes external calls to git without any input sanitization. This issue leads to complete system compromise.
Clone Of:
Last Closed:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
OpenStack gerrit 869611 0 None MERGED Bump GitPython to 3.1.30 2023-01-10 13:17:31 UTC
Red Hat Product Errata RHSA-2023:5931 0 None None None 2023-10-19 13:13:04 UTC

Description Borja Tarraso 2022-12-07 14:47:27 UTC
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.

Comment 2 Avinash Hanwate 2022-12-23 03:21:52 UTC
Created GitPython tracking bugs for this issue:

Affects: epel-all [bug 2155962]
Affects: fedora-all [bug 2155963]
Affects: openstack-rdo [bug 2155964]

Comment 12 errata-xmlrpc 2023-10-19 13:13:02 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.13 for RHEL 8

Via RHSA-2023:5931 https://access.redhat.com/errata/RHSA-2023:5931

Note You need to log in before you can comment on or make changes to this bug.