Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2022-24439

Published: 06/12/2022 Updated: 09/01/2024
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 0
Subscribe to Gitpython Project

Vulnerability Summary

All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

gitpython project gitpython

fedoraproject fedora 36

fedoraproject fedora 37

fedoraproject fedora 38

debian debian linux 10.0

Vendor Advisories

Debian CVElist Bug Report Logs: python-git: CVE-2023-40267
Debian Bug report logs - #1043503 python-git: CVE-2023-40267 Package: src:python-git; Maintainer for src:python-git is Debian Python Team <team+python@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 12 Aug 2023 05:36:02 UTC Severity: important Tags: security, upstream Found in v ...
Debian CVElist Bug Report Logs: python-git: CVE-2022-24439
Debian Bug report logs - #1027163 python-git: CVE-2022-24439 Package: src:python-git; Maintainer for src:python-git is Debian Python Team <team+python@trackerdebianorg>; Reported by: Moritz Mühlenhoff <jmm@inutilorg> Date: Wed, 28 Dec 2022 18:54:07 UTC Severity: grave Tags: security, upstream Found in versions p ...
Red Hat:
DescriptionThe MITRE CVE dictionary describes this issue as: All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command Exploiting this vulnerability is possible because the library makes external ca ...

Github Repositories

https://github.com/tern-tools/tern

Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.

Welcome to the Tern Project Tern is a software package inspection tool that can create a Software Bill of Materials (SBOM) for containers It's written in Python3 with a smattering of shell scripts Table of Contents Introduction FAQ Glossary of Terms Architecture Navigating the Code Data Model Getting Started GitHub Action Getting Started on Linux Getting Started wit

https://github.com/vmware/tern

Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.

Welcome to the Tern Project Tern is a software package inspection tool that can create a Software Bill of Materials (SBOM) for containers It's written in Python3 with a smattering of shell scripts Table of Contents Introduction FAQ Glossary of Terms Architecture Navigating the Code Data Model Getting Started GitHub Action Getting Started on Linux Getting Started wit

References

CWE-20https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py%23L1249https://lists.debian.org/debian-lts-announce/2023/07/msg00024.htmlhttps://security.gentoo.org/glsa/202311-01https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH/https://nvd.nist.govhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043503https://github.com/tern-tools/ternhttps://access.redhat.com/security/cve/cve-2022-24439
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
blind SQL injectionCVE-2006-4304CVE-2023-26603CVE-2024-28327CVE-2023-50363CVE-2024-21905template injectionCVE-2024-3400cross-site request forgery
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook