Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2022-24439

Source

Debian Bug report logs - #1027163
python-git: CVE-2022-24439

Package: src:python-git; Maintainer for src:python-git is Debian Python Team <team+python@tracker.debian.org>;

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Wed, 28 Dec 2022 18:54:07 UTC

Severity: grave

Tags: security, upstream

Found in versions python-git/3.1.27-1, python-git/3.1.14-1

Forwarded to https://github.com/gitpython-developers/GitPython/issues/1515

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>:
Bug#1027163; Package src:python-git. (Wed, 28 Dec 2022 18:54:09 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>. (Wed, 28 Dec 2022 18:54:09 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: python-git
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for python-git.

CVE-2022-24439[0]:
| All versions of package gitpython are vulnerable to Remote Code
| Execution (RCE) due to improper user input validation, which makes it
| possible to inject a maliciously crafted remote URL into the clone
| command. Exploiting this vulnerability is possible because the library
| makes external calls to git without sufficient sanitization of input
| arguments.

https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858
https://github.com/gitpython-developers/GitPython/issues/1515
https://github.com/gitpython-developers/GitPython/pull/1521

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-24439
    https://www.cve.org/CVERecord?id=CVE-2022-24439

Please adjust the affected versions in the BTS as needed.

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 28 Dec 2022 19:45:10 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://github.com/gitpython-developers/GitPython/issues/1515'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 28 Dec 2022 19:54:10 GMT) (full text, mbox, link).

Marked as found in versions python-git/3.1.27-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 28 Dec 2022 20:03:03 GMT) (full text, mbox, link).

Marked as found in versions python-git/3.1.14-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 28 Dec 2022 20:03:07 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Dec 29 16:36:38 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

python-git: CVE-2022-24439

Debian Bug report logs - #1027163
python-git: CVE-2022-24439

Vulmon Search

About

Products

Connect

python-git: CVE-2022-24439

Debian Bug report logs - #1027163 python-git: CVE-2022-24439

Vulmon Search

About

Products

Connect

Debian Bug report logs - #1027163
python-git: CVE-2022-24439