Vulnerabilities

 6 via 6 paths

Dependencies

 16

Source

 GitHub

Commit

 f7a08c6e

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
  • 3
  • 2
Status
  • 6
  • 0
  • 0

critical severity

Remote Code Execution (RCE)

  • Vulnerable module: gitpython
  • Introduced through: gitpython@3.1.27

Detailed paths

  • Introduced through: mBouamama/rawsec_cli@mBouamama/rawsec_cli#f7a08c6e04dee9c643b369d22705f5a0d4aa386e gitpython@3.1.27
    Remediation: Upgrade to gitpython@3.1.32.

Overview

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to an improper fix for CVE-2022-24439, which allows insecure non-multi options in clone and clone_from.

PoC

r.clone_from('test', 'tmp', c=["protocol.ext.allow=always"])
GitCommandError: Cmd('git') failed due to: exit code(128)
cmdline: git clone -v -c protocol.ext.allow=always -- test tmp

Remediation

Upgrade GitPython to version 3.1.32 or higher.

References

Remote Code Execution (RCE) vulnerability report

high severity

Remote Code Execution (RCE)

  • Vulnerable module: gitpython
  • Introduced through: gitpython@3.1.27

Detailed paths

  • Introduced through: mBouamama/rawsec_cli@mBouamama/rawsec_cli#f7a08c6e04dee9c643b369d22705f5a0d4aa386e gitpython@3.1.27
    Remediation: Upgrade to gitpython@3.1.30.

Overview

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. This is only relevant when enabling the ext transport protocol.

PoC

from git import Repo
r = Repo.init('', bare=True)
r.clone_from('ext::sh -c touch% /tmp/pwned', 'tmp', multi_options=["-c protocol.ext.allow=always"])

Remediation

Upgrade GitPython to version 3.1.30 or higher.

References

Remote Code Execution (RCE) vulnerability report

high severity

Untrusted Search Path

  • Vulnerable module: gitpython
  • Introduced through: gitpython@3.1.27

Detailed paths

  • Introduced through: mBouamama/rawsec_cli@mBouamama/rawsec_cli#f7a08c6e04dee9c643b369d22705f5a0d4aa386e gitpython@3.1.27
    Remediation: Upgrade to gitpython@3.1.33.

Overview

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Untrusted Search Path allowing an attacker to run any arbitrary commands through a downloaded repository with a malicious git executable.

Note: This vulnerability affects only Windows systems.

PoC

On a Windows system, create a git.exe or git executable in any directory, and import or run GitPython from that directory

python -c "import git"

The git executable from the current directory will be run.

Remediation

Upgrade GitPython to version 3.1.33 or higher.

References

Untrusted Search Path vulnerability report

high severity

Untrusted Search Path

  • Vulnerable module: gitpython
  • Introduced through: gitpython@3.1.27

Detailed paths

  • Introduced through: mBouamama/rawsec_cli@mBouamama/rawsec_cli#f7a08c6e04dee9c643b369d22705f5a0d4aa386e gitpython@3.1.27
    Remediation: Upgrade to gitpython@3.1.41.

Overview

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Untrusted Search Path via the use of an untrusted search path on Windows. An attacker can execute arbitrary code by placing a malicious git.exe or bash.exe in the current directory, which may then be executed instead of the legitimate binaries when certain GitPython features are used.

Notes:

  1. This is a completion of the fix for CVE-2023-40590.

  2. When GitPython runs git directly rather than through a shell, the GitPython process performs the path search, and omits the current directory by setting NoDefaultCurrentDirectoryInExePath in its own environment during the Popen call.

  3. GitPython sets the subprocess CWD to the root of a repository's working tree. Using a shell will run a malicious git.exe in an untrusted repository even if GitPython itself is run from a trusted location. This also applies if git.execute is called directly with shell=True or after git.USE_SHELL = True, to run any command.

  4. On Windows, GitPython uses bash.exe to run hooks that appear to be scripts. However, unlike when running git, no steps are taken to avoid finding and running bash.exe in the current directory. While bash.exe is a shell, this is a separate scenario from when git is run using the unrelated Windows cmd.exe shell.

PoC

mkdir testrepo
git init testrepo
cp ... testrepo\git.exe  # Replace "..." with any executable of choice.
python -c "import git; print(git.Repo('testrepo').git.version(shell=True))"

Remediation

Upgrade GitPython to version 3.1.41 or higher.

References

Untrusted Search Path vulnerability report

medium severity

Information Exposure

  • Vulnerable module: requests
  • Introduced through: requests@2.27.1

Detailed paths

  • Introduced through: mBouamama/rawsec_cli@mBouamama/rawsec_cli#f7a08c6e04dee9c643b369d22705f5a0d4aa386e requests@2.27.1
    Remediation: Upgrade to requests@2.31.0.

Overview

Affected versions of this package are vulnerable to Information Exposure by leaking Proxy-Authorization headers to destination servers during redirects to an HTTPS origin. This is a result of how rebuild_proxies is used to recompute and reattach the Proxy-Authorization header to requests when redirected.

NOTE: This behavior has only been observed to affect proxied requests when credentials are supplied in the URL user information component (e.g. https://username:password@proxy:8080), and only when redirecting to HTTPS:

  1. HTTP → HTTPS: leak

  2. HTTPS → HTTP: no leak

  3. HTTPS → HTTPS: leak

  4. HTTP → HTTP: no leak

For HTTP connections sent through the proxy, the proxy will identify the header in the request and remove it prior to forwarding to the destination server. However when sent over HTTPS, the Proxy-Authorization header must be sent in the CONNECT request as the proxy has no visibility into further tunneled requests. This results in Requests forwarding the header to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate those credentials.

Workaround

This vulnerability can be avoided by setting allow_redirects to False on all calls through Requests top-level APIs, and then capturing the 3xx response codes to make a new request to the redirect destination.

Remediation

Upgrade requests to version 2.31.0 or higher.

References

Information Exposure vulnerability report

medium severity

Directory Traversal

  • Vulnerable module: gitpython
  • Introduced through: gitpython@3.1.27

Detailed paths

  • Introduced through: mBouamama/rawsec_cli@mBouamama/rawsec_cli#f7a08c6e04dee9c643b369d22705f5a0d4aa386e gitpython@3.1.27
    Remediation: Upgrade to gitpython@3.1.35.

Overview

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Directory Traversal due to improper validation of the final path. Although this vulnerability cannot be used to read the contents of files, it could potentially be used to trigger a denial of service for the program.

PoC

import git

r = git.Repo(".")

# This will make GitPython read the README.md file from the root of the repo
r.commit("../README.md")
r.tree("../README.md")
r.index.diff("../README.md")

# Reading /etc/random
# WARNING: this will probably halt your system, run with caution
# r.commit("../../../../../../../../../dev/random")

Details

A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

Directory Traversal vulnerabilities can be generally divided into two types:

  • Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.

st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa

Note %2e is the URL encoded version of . (dot).

  • Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.

One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

2018-04-15 22:04:29 .....           19           19  good.txt
2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys

Remediation

Upgrade GitPython to version 3.1.35 or higher.

References

Directory Traversal vulnerability report