GitPython is a python library used to interact with Git repositories. When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment. GitPython defaults to use the git command, if a user runs GitPython from a repo has a git.exe or git executable, that program will be run instead of the one in the users PATH. This is more of a problem on how Python interacts with Windows systems, Linux and any other OS arent affected by this. But probably people using GitPython usually run it from the CWD of a repo. An attacker can trick a user to download a repository with a malicious git executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands. There is no fix currently available for windows users, however there are a few mitigations. 1: Default to an absolute path for the git program on Windows, like C:Program FilesGitcmdgit.EXE (default git path installation). 2: Require users to set the GIT_PYTHON_GIT_EXECUTABLE environment variable on Windows systems. 3: Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repo, or set the GIT_PYTHON_GIT_EXECUTABLE env var to an absolute path. 4: Resolve the executable manually by only looking into the PATH environment variable.
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product’s direct control.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Gitpython | Gitpython_project | * | 3.1.32 (including) |
| Python-git | Ubuntu | bionic | * |
| Python-git | Ubuntu | devel | * |
| Python-git | Ubuntu | esm-apps/bionic | * |
| Python-git | Ubuntu | esm-apps/focal | * |
| Python-git | Ubuntu | esm-apps/jammy | * |
| Python-git | Ubuntu | esm-apps/xenial | * |
| Python-git | Ubuntu | esm-infra-legacy/trusty | * |
| Python-git | Ubuntu | focal | * |
| Python-git | Ubuntu | jammy | * |
| Python-git | Ubuntu | lunar | * |
| Python-git | Ubuntu | trusty | * |
| Python-git | Ubuntu | trusty/esm | * |
| Python-git | Ubuntu | xenial | * |
This might allow attackers to execute their own programs, access unauthorized data files, or modify configuration in unexpected ways. If the product uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted product would then execute. The problem extends to any type of critical resource that the product trusts. Some of the most common variants of untrusted search path are: