CVE-2024-22190

Name
CVE-2024-22190
Description
GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository. This issue has been patched in version 3.1.41.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security-advisories@github.com https://github.com/gitpython-developers/GitPython/commit/ef3192cc414f2fd9978908454f6fd95243784c7f
security-advisories@github.com https://github.com/gitpython-developers/GitPython/pull/1792
security-advisories@github.com https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:gitpython_project:gitpython:*:*:*:*:*:python:*:* py3-gitpython >= None < 3.1.41

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
py3-gitpython 3.19-community 3.1.40-r0 Bart Ribbers <bribbers@disroot.org> possibly vulnerable