CVE-2023-40590
Arbitrary Command Execution vulnerability in gitpython (PyPI)
What is CVE-2023-40590 About?
This vulnerability in GitPython allows arbitrary command execution on Windows systems by exploiting how Python resolves executables. An attacker can trick a user into running GitPython from a malicious repository, leading to the execution of arbitrary commands. The vulnerability is relatively easy to exploit, but it specifically affects Windows users.
Affected Software
Technical Details
GitPython, a Python library for Git interaction, experiences an arbitrary command execution vulnerability due to the search order of executables on Windows. Python on Windows first checks the current working directory (CWD) before the PATH environment variable for executables. If a user runs GitPython from a repository containing a malicious 'git.exe' or 'git' executable, that malicious program will be prioritized and executed instead of the legitimate 'git' command from the system's PATH. An attacker can create a repository with a specially crafted 'git' executable and entice a user to download and then run or import GitPython from within that directory. This mechanism allows the attacker to execute arbitrary commands on the user's system under the context of the running Python process.
What is the Impact of CVE-2023-40590?
Successful exploitation may allow attackers to execute arbitrary code or commands on the affected system, leading to full system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2023-40590?
Exploitation requires user interaction to download and run GitPython from a specially crafted malicious repository. The attack is local in the sense that the malicious executable needs to be present in the user's Git repository, but the initial delivery can be remote (e.g., via a malicious cloned repo). No specific authentication or high privileges are required beyond the ability to execute the Python script locally. The attack primarily affects Windows systems and relies on the user's current working directory containing the malicious executable. Exploitation is made easier by the common practice of running GitPython from the CWD of a repository.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-40590?
Available Upgrade Options
- gitpython
- <3.1.33 → Upgrade to 3.1.33
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/gitpython-developers/GitPython/issues/1635
- https://github.com/gitpython-developers/GitPython
- https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-wfm5-v35h-vwf4
- https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2023-161.yaml
- https://docs.python.org/3/library/subprocess.html#popen-constructor
- https://github.com/gitpython-developers/GitPython/releases/tag/3.1.33
- https://github.com/gitpython-developers/GitPython/commit/8b75434e2c8a082cdeb4971cc6f0ee2bafec45bc
- https://osv.dev/vulnerability/GHSA-wfm5-v35h-vwf4
- https://nvd.nist.gov/vuln/detail/CVE-2023-40590
- https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-wfm5-v35h-vwf4
What are Similar Vulnerabilities to CVE-2023-40590?
Similar Vulnerabilities: CVE-2022-26485 , CVE-2021-4122 , CVE-2020-17049 , CVE-2018-1000132 , CVE-2017-1000086
