OESA-2023-1529

All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.(CVE-2022-24439)

GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.(CVE-2023-40267)

Database specific

{
    "severity": "Critical"
}

References

Affected packages

openEuler:20.03-LTS-SP1 / python-GitPython

Package

Name: python-GitPython
Purl: pkg:rpm/openEuler/python-GitPython&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.32-1.oe1

Ecosystem specific

{
    "src": [
        "python-GitPython-3.1.32-1.oe1.src.rpm"
    ],
    "noarch": [
        "python-GitPython-help-3.1.32-1.oe1.noarch.rpm",
        "python3-GitPython-3.1.32-1.oe1.noarch.rpm"
    ]
}

openEuler:20.03-LTS-SP3 / python-GitPython

Package

Name: python-GitPython
Purl: pkg:rpm/openEuler/python-GitPython&distro=openEuler-20.03-LTS-SP3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.32-1.oe1

Ecosystem specific

{
    "src": [
        "python-GitPython-3.1.32-1.oe1.src.rpm"
    ],
    "noarch": [
        "python-GitPython-help-3.1.32-1.oe1.noarch.rpm",
        "python3-GitPython-3.1.32-1.oe1.noarch.rpm"
    ]
}

openEuler:22.03-LTS / python-GitPython

Package

Name: python-GitPython
Purl: pkg:rpm/openEuler/python-GitPython&distro=openEuler-22.03-LTS

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.32-1.oe2203sp2

Ecosystem specific

{
    "src": [
        "python-GitPython-3.1.32-1.oe2203.src.rpm",
        "python-GitPython-3.1.32-1.oe2203sp1.src.rpm",
        "python-GitPython-3.1.32-1.oe2203sp2.src.rpm"
    ],
    "noarch": [
        "python3-GitPython-3.1.32-1.oe2203.noarch.rpm",
        "python-GitPython-help-3.1.32-1.oe2203.noarch.rpm",
        "python-GitPython-help-3.1.32-1.oe2203sp1.noarch.rpm",
        "python3-GitPython-3.1.32-1.oe2203sp1.noarch.rpm",
        "python-GitPython-help-3.1.32-1.oe2203sp2.noarch.rpm",
        "python3-GitPython-3.1.32-1.oe2203sp2.noarch.rpm"
    ]
}

openEuler:22.03-LTS-SP1 / python-GitPython

Package

Name: python-GitPython
Purl: pkg:rpm/openEuler/python-GitPython&distro=openEuler-22.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.32-1.oe2203sp1

Ecosystem specific

{
    "src": [
        "python-GitPython-3.1.32-1.oe2203sp1.src.rpm"
    ],
    "noarch": [
        "python-GitPython-help-3.1.32-1.oe2203sp1.noarch.rpm",
        "python3-GitPython-3.1.32-1.oe2203sp1.noarch.rpm"
    ]
}

openEuler:22.03-LTS-SP2 / python-GitPython

Package

Name: python-GitPython
Purl: pkg:rpm/openEuler/python-GitPython&distro=openEuler-22.03-LTS-SP2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.32-1.oe2203sp2

Ecosystem specific

{
    "src": [
        "python-GitPython-3.1.32-1.oe2203sp2.src.rpm"
    ],
    "noarch": [
        "python-GitPython-help-3.1.32-1.oe2203sp2.noarch.rpm",
        "python3-GitPython-3.1.32-1.oe2203sp2.noarch.rpm"
    ]
}