CVE-2022-24439
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2022-24439
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2022-24439.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 3.1.30-1 |
| debian | bullseye | fixed | 3.1.14-1+deb11u1 |
| debian | forky | fixed | 3.1.30-1 |
| debian | sid | fixed | 3.1.30-1 |
| debian | trixie | fixed | 3.1.30-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | gitpython | <3.1.30 | 3.1.30 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2022-24439
- https://github.com/gitpython-developers/GitPython/issues/1515
- https://github.com/gitpython-developers/GitPython/commit/2625ed9fc074091c531c27ffcba7902771130261
- https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858
- https://security.gentoo.org/glsa/202311-01
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH
- https://lists.debian.org/debian-lts-announce/2024/10/msg00030.html
- https://lists.debian.org/debian-lts-announce/2023/07/msg00024.html
- https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2022-42992.yaml
- https://github.com/gitpython-developers/GitPython/releases/tag/3.1.30
- https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py%23L1249
- https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py#L1249
- https://github.com/gitpython-developers/GitPython
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X/
- https://www.suse.com/security/cve/CVE-2022-24439.html
- https://security-tracker.debian.org/tracker/CVE-2022-24439
Verify integrity in audit chain (admin only). AS-IS.