CVE-2023-41040
Path Traversal vulnerability in gitpython (PyPI)
What is CVE-2023-41040 About?
This vulnerability in GitPython allows for arbitrary file reads outside of the intended .git directory due to improper path validation. While it cannot be used to read file contents, it can lead to a denial of service for the program. Exploiting this issue requires user-supplied input to trigger the insecure file access.
Affected Software
- gitpython
- <3.1.35
- <3.1.37
Technical Details
GitPython, a library for interacting with Git repositories, attempts to resolve Git references by reading files from the '.git' directory. The vulnerability arises because the names of some files to be read are provided by the user. GitPython concatenates the base directory with this user-supplied string without performing checks to ensure the resulting path remains within the '.git' directory. This lack of path validation, specifically at locations like https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175, allows an attacker to manipulate the file name to craft a path that points to any arbitrary file on the system, leading to an out-of-bounds file read which can be leveraged for denial of service.
What is the Impact of CVE-2023-41040?
Successful exploitation may allow attackers to cause a denial of service, rendering the affected application or service unavailable to legitimate users.
What is the Exploitability of CVE-2023-41040?
Exploitation of this vulnerability involves providing specially crafted user input that influences the file path construction. The complexity is medium, as it requires knowledge of how GitPython handles reference resolution and path manipulation. No specific authentication is mentioned as required, implying it could be exploited by any user capable of supplying the problematic input. Privilege requirements are likely those of the process running GitPython. This is a remote vulnerability if the user input can be provided over a network; otherwise, it would be local. The key constraint is that the vulnerability facilitates arbitrary file reads for denial of service, not necessarily content disclosure.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-41040?
Available Upgrade Options
- gitpython
- <3.1.35 → Upgrade to 3.1.35
- gitpython
- <3.1.37 → Upgrade to 3.1.37
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/gitpython-developers/GitPython/commit/74e55ee4544867e1bd976b7df5a45869ee397b0b
- https://github.com/gitpython-developers/GitPython
- https://osv.dev/vulnerability/GHSA-cwvm-v4w8-q58c
- https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-cwvm-v4w8-q58c
- https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-cwvm-v4w8-q58c
- https://lists.debian.org/debian-lts-announce/2023/09/msg00036.html
- https://github.com/gitpython-developers/GitPython/commit/e98f57b81f792f0f5e18d33ee658ae395f9aa3c4
- https://github.com/gitpython-developers/GitPython/pull/1672
- https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2023-165.yaml
- https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175
What are Similar Vulnerabilities to CVE-2023-41040?
Similar Vulnerabilities: CVE-2021-39293 , CVE-2020-10977 , CVE-2020-28469 , CVE-2022-24348 , CVE-2022-30121
