CVE-2023-40267
Remote Code Execution (RCE) vulnerability in gitpython (PyPI)
What is CVE-2023-40267 About?
GitPython before 3.1.32 is vulnerable to Remote Code Execution (RCE) due to improper user input validation when handling `clone` and `clone_from` operations. This flaw allows attackers to inject maliciously crafted remote URLs, leading to the execution of arbitrary code. Exploitation is relatively easy if an attacker can control the input URL passed to the clone commands.
Affected Software
- gitpython
- <ca965ecc81853bca7675261729143f54e5bf4cdd
- <3.1.32
Technical Details
The vulnerability in GitPython versions prior to 3.1.32 stems from an incomplete fix for CVE-2022-24439. The library fails to adequately sanitize user input for remote URLs provided to the clone and clone_from methods, particularly not blocking insecure non-multi options. This allows an attacker to craft a special remote URL that, when interpreted by the underlying Git command invoked by GitPython, can inject arbitrary commands. Given that GitPython makes external calls to the git executable, the unsanitized input leads directly to command injection and subsequent remote code execution within the context of the application running GitPython.
What is the Impact of CVE-2023-40267?
Successful exploitation may allow attackers to execute arbitrary code on the system running GitPython, potentially leading to full system compromise, data exfiltration, or further attacks.
What is the Exploitability of CVE-2023-40267?
Exploitation complexity for this RCE is relatively low if an attacker can control the repository URL provided to GitPython's clone or clone_from functions. There are generally no explicit authentication or privilege requirements to trigger the vulnerability, especially if the application processes user-supplied repository URLs. This is a remote vulnerability, as the attacker injects malicious code via a remote URL. Special conditions involve the application accepting untrusted input for Git cloning operations. The risk factors are significantly increased in applications that allow users to specify arbitrary Git repository URLs or process them from external sources without thorough validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-40267?
Available Upgrade Options
- gitpython
- <3.1.32 → Upgrade to 3.1.32
- gitpython
- <ca965ecc81853bca7675261729143f54e5bf4cdd → Upgrade to ca965ecc81853bca7675261729143f54e5bf4cdd
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/gitpython-developers/GitPython/pull/1609
- https://github.com/gitpython-developers/GitPython/pull/1609
- https://github.com/gitpython-developers/GitPython
- https://github.com/gitpython-developers/GitPython/commit/ca965ecc81853bca7675261729143f54e5bf4cdd
- https://github.com/gitpython-developers/GitPython/commit/ca965ecc81853bca7675261729143f54e5bf4cdd
- https://osv.dev/vulnerability/PYSEC-2023-137
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH/
- https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2023-137.yaml
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R/
What are Similar Vulnerabilities to CVE-2023-40267?
Similar Vulnerabilities: CVE-2022-24439 , CVE-2022-26274 , CVE-2021-25916 , CVE-2020-8022 , CVE-2018-6342
