CVE-2023-40590: GitPython untrusted search path on Windows systems leading to arbitrary code execution
(updated )
When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment (see big warning in https://docs.python.org/3/library/subprocess.html#popen-constructor). GitPython defaults to use the git command, if a user runs GitPython from a repo has a git.exe or git executable, that program will be run instead of the one in the user’s PATH.
References
- docs.python.org/3/library/subprocess.html
- github.com/advisories/GHSA-wfm5-v35h-vwf4
- github.com/gitpython-developers/GitPython
- github.com/gitpython-developers/GitPython/commit/8b75434e2c8a082cdeb4971cc6f0ee2bafec45bc
- github.com/gitpython-developers/GitPython/issues/1635
- github.com/gitpython-developers/GitPython/pull/1636
- github.com/gitpython-developers/GitPython/releases/tag/3.1.33
- github.com/gitpython-developers/GitPython/security/advisories/GHSA-wfm5-v35h-vwf4
- github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2023-161.yaml
- nvd.nist.gov/vuln/detail/CVE-2023-40590
Detect and mitigate CVE-2023-40590 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →