gitpython version 3.1.29 has a RCE vulnerability (CVE-2022-24439) #971
Labels
bug
Something isn't working
Comments
|
While it is true that Bandit has a dependency on GitPython, it does not use it to do any cloning, nor take a URL argument. The code in particular that uses GitPython is found in the baseline.py module. |
|
Closing for now since GitHub has a new mechanism for reporting potential vulnerabilities. I have just enabled it. In the future you can open one here: https://github.com/PyCQA/bandit/security/advisories |
|
It looks like gitpython has now patched this vulnerability gitpython-developers/GitPython#1515 (comment) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
There is a Remote Code Execution vulnerability in all versions of gitpython.
See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24439
Reproduction steps
1. Install bandit version 1.7.4 2. It requires gitpython >=1.0.1 (but installs 3.1.29) 3. gitpython 3.1.29 has the reported vulnerabilityExpected behavior
Proper input validation for git URLs needs to exist so that it is NOT possible to inject a maliciously crafted remote URL into the clone command.
Bandit version
1.7.4 (Default)
Python version
3.11 (Default)
Additional context
No response
The text was updated successfully, but these errors were encountered: