CVE-2024-22190

NameCVE-2024-22190
DescriptionGitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository. This issue has been patched in version 3.1.41.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-git (PTS)buster2.1.11-1fixed
buster (security)2.1.11-1+deb10u2fixed
bullseye3.1.14-1fixed
bookworm3.1.30-1+deb12u2fixed
sid, trixie3.1.37-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-gitsource(unstable)(not affected)

Notes

- python-git <not-affected> (Only affects Windows)
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx
https://github.com/gitpython-developers/GitPython/pull/1792
https://github.com/gitpython-developers/GitPython/commit/ef3192cc414f2fd9978908454f6fd95243784c7f (3.1.41)
Search for package or bug name: Reporting problems