CVE-2024-22190
Arbitrary Code Execution vulnerability in gitpython (PyPI)
What is CVE-2024-22190 About?
This vulnerability in GitPython is an incomplete fix for CVE-2023-40590, allowing arbitrary code execution on Windows due to an untrusted search path. It manifests when GitPython runs Git commands via a shell or when interpreting hooks with `bash.exe`, enabling a malicious `git.exe` or `bash.exe` to be executed. Exploitation is relatively easy if an attacker can place a malicious executable in a repository or current directory.
Affected Software
- gitpython
- <ef3192cc414f2fd9978908454f6fd95243784c7f
- <3.1.41
Technical Details
The vulnerability concerns GitPython's process execution on Windows. When GitPython executes Git commands via shell=True (or Git.USE_SHELL = True), it relies on the Windows cmd.exe shell for path resolution. cmd.exe does not honor GitPython's NoDefaultCurrentDirectoryInExePath environment variable when it's the one performing the path search, allowing a malicious git.exe in the current working directory (which is typically the root of a repository) to be executed. Similarly, when running hook scripts, GitPython uses bash.exe without taking steps to prevent finding and running a malicious bash.exe in the current directory. This enables an attacker to place a rogue bash.exe in a repository that will be executed when a hook is triggered, even if the hook script itself is benign. This is particularly problematic in workflows involving untrusted feature branches or forks.
What is the Impact of CVE-2024-22190?
Successful exploitation may allow attackers to achieve arbitrary code execution on the Windows machine running GitPython. This can lead to full system compromise, unauthorized data access, modification, or deletion, and further network penetration.
What is the Exploitability of CVE-2024-22190?
Exploitation is of low complexity. The primary prerequisites are a Windows system running GitPython, and the ability for an attacker to create a malicious git.exe or bash.exe within an untrusted repository or the current working directory. No authentication is typically required for Git operations performed within the context of the running application. Privilege requirements are those of the user running the GitPython application. This is primarily a local vulnerability, as an attacker needs to modify the repository or the current directory on the victim's machine, or present a malicious repository. The likelihood of exploitation increases if an application sets Git.USE_SHELL = True, if developers frequently switch to untrusted branches/forks, or if the application automatically performs Git operations (like committing) on untrusted repositories.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-22190?
Available Upgrade Options
- gitpython
- <3.1.41 → Upgrade to 3.1.41
- gitpython
- <ef3192cc414f2fd9978908454f6fd95243784c7f → Upgrade to ef3192cc414f2fd9978908454f6fd95243784c7f
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/gitpython-developers/GitPython
- https://github.com/gitpython-developers/GitPython/pull/1792
- https://github.com/gitpython-developers/GitPython/pull/1792
- https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx
- https://osv.dev/vulnerability/PYSEC-2024-4
- https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx
- https://github.com/gitpython-developers/GitPython/commit/ef3192cc414f2fd9978908454f6fd95243784c7f
- https://github.com/gitpython-developers/GitPython/pull/1792
- https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2024-4.yaml
- https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx
What are Similar Vulnerabilities to CVE-2024-22190?
Similar Vulnerabilities: CVE-2023-40590 , CVE-2022-24765 , CVE-2021-36109 , CVE-2020-11008 , CVE-2019-19882
