CVE-2024-22190 HIGH

CVE-2024-22190: Untrusted search path under some conditions on Windows allows arbitrary code execution

Vendor Gitpython-Developers
Product GitPython
Weakness CWE-426
Published January 11, 2024
Last update September 3, 2024

CVSS base score

7.8/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository. This issue has been patched in version 3.1.41.

Key dates

02Disclosure timeline

January 11, 2024 CVE published
September 3, 2024 Record updated