GitPython vulnerable to Remote Code Execution due to improper user input validation
High severity
GitHub Reviewed
Published
Dec 6, 2022
to the GitHub Advisory Database
•
Updated Sep 20, 2024
Description
Published by the National Vulnerability Database
Dec 6, 2022
Published to the GitHub Advisory Database
Dec 6, 2022
Reviewed
Dec 6, 2022
Last updated
Sep 20, 2024
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.
References