CVE-2022-24439

HIGH

gitpython - RCE

Title source: llm

Description

All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.

Exploits (2)

nomisec STUB 1 stars

by Makkkiiii · poc

https://github.com/Makkkiiii/GitPython-Exploit-CVE-2022-24439

View Code ZIP pw:eip

nomisec WORKING POC

by muhammadhendro · poc

https://github.com/muhammadhendro/CVE-2022-24439

View Code ZIP pw:eip

References (9)

[Broken Link] https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py%23L1249

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2023/07/msg00024.html

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X/

[Third Party Advisory] https://security.gentoo.org/glsa/202311-01

[Exploit, Third Party Advisory] https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858

[Mailing List] https://lists.debian.org/debian-lts-announce/2024/10/msg00030.html

Scores

CVSS v3 8.1

EPSS 0.6886

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-20

Status published

Products (6)

debian/debian_linux 10.0

fedoraproject/fedora 36

fedoraproject/fedora 37

fedoraproject/fedora 38

gitpython_project/gitpython < 3.1.30

pypi/GitPython 0 - 3.1.30PyPI

Published Dec 06, 2022

Tracked Since Feb 18, 2026