Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/gitpython@3.1.35
Typepypi
Namespace
Namegitpython
Version3.1.35
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.1.41
Latest_non_vulnerable_version3.1.41
Affected_by_vulnerabilities
0
url VCID-baz5-ra3v-9qeh
vulnerability_id VCID-baz5-ra3v-9qeh
summary GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository. This issue has been patched in version 3.1.41.
references
0
reference_url https://github.com/gitpython-developers/GitPython
reference_id
reference_type
scores
url https://github.com/gitpython-developers/GitPython
1
reference_url https://github.com/gitpython-developers/GitPython/commit/ef3192cc414f2fd9978908454f6fd95243784c7f
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://github.com/gitpython-developers/GitPython/commit/ef3192cc414f2fd9978908454f6fd95243784c7f
2
reference_url https://github.com/gitpython-developers/GitPython/pull/1792
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://github.com/gitpython-developers/GitPython/pull/1792
3
reference_url https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2024-4.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2024-4.yaml
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-22190
reference_id CVE-2024-22190
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-22190
6
reference_url https://github.com/advisories/GHSA-2mqj-m65w-jghx
reference_id GHSA-2mqj-m65w-jghx
reference_type
scores
url https://github.com/advisories/GHSA-2mqj-m65w-jghx
fixed_packages
0
url pkg:pypi/gitpython@3.1.41
purl pkg:pypi/gitpython@3.1.41
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/gitpython@3.1.41
aliases CVE-2024-22190, GHSA-2mqj-m65w-jghx, PYSEC-2024-4
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-baz5-ra3v-9qeh
Fixing_vulnerabilities
0
url VCID-2wzu-49nj-8be5
vulnerability_id VCID-2wzu-49nj-8be5
summary GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the `.git` directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the `.git` directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175. That code joins the base directory with a user given string without checking if the final path is located outside the base directory. This vulnerability cannot be used to read the contents of files but could in theory be used to trigger a denial of service for the program. This issue has not yet been addressed.
references
0
reference_url https://github.com/gitpython-developers/GitPython
reference_id
reference_type
scores
url https://github.com/gitpython-developers/GitPython
1
reference_url https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
url https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175
2
reference_url https://github.com/gitpython-developers/GitPython/commit/74e55ee4544867e1bd976b7df5a45869ee397b0b
reference_id
reference_type
scores
url https://github.com/gitpython-developers/GitPython/commit/74e55ee4544867e1bd976b7df5a45869ee397b0b
3
reference_url https://github.com/gitpython-developers/GitPython/commit/e98f57b81f792f0f5e18d33ee658ae395f9aa3c4
reference_id
reference_type
scores
url https://github.com/gitpython-developers/GitPython/commit/e98f57b81f792f0f5e18d33ee658ae395f9aa3c4
4
reference_url https://github.com/gitpython-developers/GitPython/pull/1672
reference_id
reference_type
scores
url https://github.com/gitpython-developers/GitPython/pull/1672
5
reference_url https://github.com/gitpython-developers/GitPython/releases/tag/3.1.37
reference_id
reference_type
scores
url https://github.com/gitpython-developers/GitPython/releases/tag/3.1.37
6
reference_url https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-cwvm-v4w8-q58c
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
url https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-cwvm-v4w8-q58c
7
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2023-165.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2023-165.yaml
8
reference_url https://lists.debian.org/debian-lts-announce/2023/09/msg00036.html
reference_id
reference_type
scores
url https://lists.debian.org/debian-lts-announce/2023/09/msg00036.html
9
reference_url https://lists.debian.org/debian-lts-announce/2024/10/msg00030.html
reference_id
reference_type
scores
url https://lists.debian.org/debian-lts-announce/2024/10/msg00030.html
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-41040
reference_id CVE-2023-41040
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-41040
11
reference_url https://github.com/advisories/GHSA-cwvm-v4w8-q58c
reference_id GHSA-cwvm-v4w8-q58c
reference_type
scores
url https://github.com/advisories/GHSA-cwvm-v4w8-q58c
fixed_packages
0
url pkg:pypi/gitpython@3.1.35
purl pkg:pypi/gitpython@3.1.35
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-baz5-ra3v-9qeh
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/gitpython@3.1.35
1
url pkg:pypi/gitpython@3.1.37
purl pkg:pypi/gitpython@3.1.37
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-baz5-ra3v-9qeh
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/gitpython@3.1.37
aliases CVE-2023-41040, GHSA-cwvm-v4w8-q58c, PYSEC-2023-165
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2wzu-49nj-8be5
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/gitpython@3.1.35