CVE-2022-24439

high-risk

Published 2022-12-06

All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.

Do I need to act?

68.9% chance of exploitation in next 30 days

EPSS score — higher than 31% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.1/10 High

NETWORK / HIGH complexity

Affected Products (5)

Gitpython

Fedora

Debian Linux

Affected Vendors

Debian Fedoraproject Gitpython Project

References (17)

Broken Link https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de...

Mailing List https://lists.debian.org/debian-lts-announce/2023/07/msg00024.html

Mailing List https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://security.gentoo.org/glsa/202311-01

Exploit https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858

Broken Link https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de...

Mailing List https://lists.debian.org/debian-lts-announce/2023/07/msg00024.html

https://lists.debian.org/debian-lts-announce/2024/10/msg00030.html

Mailing List https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://security.gentoo.org/glsa/202311-01

Exploit https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858

/ 100

high-risk

Severity 24/34 · High

Exploitability 19/34 · Moderate

Exposure 12/34 · Low