Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-40590: Untrusted search path on Windows systems leading to arbitrary code execution #1635

Closed
igirardi opened this issue Aug 30, 2023 · 6 comments · Fixed by #1636
Closed

CVE-2023-40590: Untrusted search path on Windows systems leading to arbitrary code execution #1635

igirardi opened this issue Aug 30, 2023 · 6 comments · Fixed by #1636
Labels
acknowledged help wanted tag.Windows
Milestone
v3.1.33 - Bugfixes

Comments

@igirardi
Copy link

igirardi commented Aug 30, 2023
edited
Loading

This appeared in the CVE additional information here GHSA-wfm5-v35h-vwf4.

I found it reported already. I am reporting it here just in case.
@igirardi igirardi changed the title CVE-2023-40267: Remote Code Execution (RCE) CVE-2023-40590: Remote Code Execution (RCE) Aug 30, 2023
@igirardi igirardi changed the title CVE-2023-40590: Remote Code Execution (RCE) CVE-2023-40590: Untrusted search path on Windows systems leading to arbitrary code execution Aug 30, 2023
@Byron
Copy link
Member

Byron commented Aug 30, 2023

Thanks. This advisory originated in this repository and is thus known: GHSA-wfm5-v35h-vwf4 .

However, it seems hard to communicate using an advisory, so we can keep this issue open to collect comments.

ThunderKey added a commit to ThunderKey/python-tool-competition-2024 that referenced this issue Aug 30, 2023
@ThunderKey
ignore CVE that is not yet fixed in the package
a2c2cd1 
See gitpython-developers/GitPython#1635
@EliahKagan EliahKagan mentioned this issue Aug 30, 2023
Merged
@stsewd
Copy link
Contributor

stsewd commented Aug 30, 2023

BTW, there is another vulnerability that was reported, that is also pending a fix GHSA-cwvm-v4w8-q58c. Looks like a CVE wasn't requested for that one.

@Byron
Copy link
Member

Byron commented Aug 30, 2023

I thought for something less critical, it wouldn't be worth a whole CVE entry.
As collaborator (and author) of the GHSA, are you able to request a CVE? If so, please go ahead if you think there should be one. Otherwise I will do it as per your request. Thanks.

@stsewd
Copy link
Contributor

stsewd commented Aug 30, 2023
edited
Loading

@Byron only maintainers can request CVEs. If this was intentional, I don't mind having no CVE for that advisory 👍, I was suggesting it since it looks like people are more pending on CVEs than plain advisories (or that seems to me). We could also create a new issue linking to the advisory, so people are more aware of it.

@Byron
Copy link
Member

Byron commented Aug 30, 2023

I am happy to follow your advise and requested a CVE. It should increase visibility and with that, the chance for a fix.

@EliahKagan EliahKagan mentioned this issue Aug 31, 2023
Closed
@Byron Byron added this to the v3.1.33 - Bugfixes milestone Sep 1, 2023
@Byron
Copy link
Member

Byron commented Sep 1, 2023

The fix was released here: https://pypi.org/project/GitPython/3.1.33/

This was referenced Sep 13, 2023
Merged
Merged
@EliahKagan EliahKagan mentioned this issue Nov 4, 2023
Merged
@EliahKagan EliahKagan mentioned this issue Jan 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
acknowledged help wanted tag.Windows
Milestone
v3.1.33 - Bugfixes
Development

Successfully merging a pull request may close this issue.

Fix CVE-2023-40590 EliahKagan/GitPython
3 participants
@Byron @stsewd @igirardi