SNYK-PYTHON-GITPYTHON-3113858
## Overview [GitPython](https://pypi.org/project/GitPython/) is a python library used to interact with Git repositories Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to `git` without sufficient sanitization of input arguments. This is only relevant when enabling the `ext` transport protocol. ## PoC ```python from git import Repo r = Repo.init('', bare=True) r.clone_from('ext::sh -c touch% /tmp/pwned', 'tmp', multi_options=["-c protocol.ext.allow=always"]) ``` ## Remediation Upgrade `GitPython` to version 3.1.30 or higher. ## References - [GitHub Commit](https://github.com/gitpython-developers/GitPython/commit/2625ed9fc074091c531c27ffcba7902771130261) - [GitHub Issue](https://github.com/gitpython-developers/GitPython/issues/1517) - [Vulnerable Code](https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py#L1249)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0 |
Timeline
- Nov 13, 2022 CVE Updated
- Dec 5, 2022 CVE Published
References
- https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858 advisory
- https://learn.snyk.io/lesson/malicious-code-injection/ technical
- https://pypi.org/project/GitPython/ vendor
- https://github.com/gitpython-developers/GitPython/commit/2625ed9fc074091c531c27ffcba7902771130261 patch
- https://github.com/gitpython-developers/GitPython/issues/1517 issue
- https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py#L1249 technical