CVE-2023-40267

Published Aug 11, 2023

Last updated a year ago

CVSS critical 9.8

Overview

Description: GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.
Source: cve@mitre.org
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

nvd@nist.gov: NVD-CWE-noinfo

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:gitpython_project:gitpython:*:*:*:*:*:python:*:*",
            "vulnerable": true,
            "matchCriteriaId": "06EB5A55-DB8A-4F86-9C77-F1FE464525FF",
            "versionEndExcluding": "3.1.32"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

https://nvd.nist.gov/vuln/detail/CVE-2023-40267
https://github.com/gitpython-developers/GitPython/commit/ca965ecc81853bca7675261729143f54e5bf4cdd
https://github.com/gitpython-developers/GitPython/pull/1609
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R/

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References