Advisories » MGASA-2023-0001

Updated python-gitpython packages fix security vulnerability

Publication date: 13 Jan 2023
Modification date: 13 Jan 2023
Type: security
Affected Mageia releases : 8
CVE: CVE-2022-24439

Description

Remote Code Execution (RCE) due to improper user input validation, which
makes it possible to inject a maliciously crafted remote URL into the
clone command. Exploiting this vulnerability is possible because the
library makes external calls to git without sufficient sanitization of
input arguments. This is only relevant when enabling the ext transport
protocol (CVE-2022-24439)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=31242
• https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24439

SRPMS

8/core

• python-gitpython-3.1.30-1.mga8