[REDMINE1D-313] [RM-8297] Update GitPython version Created: 19/Sep/23 Updated: 22/Sep/23 Resolved: 22/Sep/23 |
|
| Status: | Done |
| Project: | 1D Redmine |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Task | Priority: | Normal |
| Reporter: | Redmine-Jira Migtation | Assignee: | Redmine-Jira Migtation |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Description |
|
Created on 2023-09-15 08:42:35 by Ali Allaoui. % Done: 100 GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from, making it vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439. |
| Comments |
| Comment by Redmine-Jira Migtation [ 22/Sep/23 ] |
|
Comment by Ali Allaoui on 2023-09-15 14:24:59: |
| Comment by Redmine-Jira Migtation [ 22/Sep/23 ] |
|
Comment by Pierre-yves Chabaud on 2023-09-15 16:20:51: |