VDB
CVE-2022-24439
CVE-2022-24439
PUBLISHED
CVSS 8.1 HIGH
Reported by snyk · Published December 12, 2022
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.
Risk Scores
CVSS v3.1
8.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | GitPython | 0 |
| PyPI | GitPython | 0 |
| n/a | GitPython | 0, 0 |
Timeline
- Dec 6, 2022 CVE Published
- Dec 6, 2022 EPSS Score
- Jan 17, 2023 EPSS Score
- Feb 28, 2023 EPSS Score
- Apr 11, 2023 EPSS Score
- May 23, 2023 EPSS Score
- Aug 15, 2023 EPSS Score
- Nov 7, 2023 EPSS Score
- Dec 19, 2023 EPSS Score
- Mar 12, 2024 EPSS Score
- Jun 4, 2024 EPSS Score
- Jul 16, 2024 EPSS Score
References
- FEDORA-2022-8146a727a8 vendor-advisory
- FEDORA-2022-ce7369b9ec vendor-advisory
- [debian-lts-announce] 20230725 [SECURITY] [DLA 3502-1] python-git security update mailing-list
- FEDORA-2023-1ec4e542f9 vendor-advisory
- FEDORA-2023-26116901d9 vendor-advisory
- GLSA-202311-01 vendor-advisory
- https://lists.debian.org/debian-lts-announce/2024/10/msg00030.html url
- https://nvd.nist.gov/vuln/detail/CVE-2022-24439 advisory
- https://github.com/advisories/GHSA-hcpj-qp55-gfph advisory
- https://github.com/gitpython-developers/GitPython/issues/1515 url
- https://github.com/gitpython-developers/GitPython/commit/2625ed9fc074091c531c27ffcba7902771130261 patch
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X url
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R url
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN url
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN url
…and 5 more