CVE-2024-22190 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2024-22190

CVE-2024-22190

January 11, 2024

GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository. This issue has been patched in version 3.1.41.

Related Resources (6)

https://nvd.nist.gov/vuln/detail/CVE-2024-22190

https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2024-4.yaml

https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

https://github.com/gitpython-developers/GitPython

https://github.com/gitpython-developers/GitPython/commit/ef3192cc414f2fd9978908454f6fd95243784c7f

https://github.com/gitpython-developers/GitPython/pull/1792

Do you need more information?

CVSS v4

Base Score:

8.5

Attack Vector

LOCAL

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

PASSIVE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Weakness Type (CWE)

Untrusted Search Path

CWE-426

EPSS

Base Score:

0.3

Products

Solutions

Resources

Company

Compare

Developer Tools