{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-40267", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T18:31:52.387Z", "dateReserved": "2023-08-11T00:00:00", "datePublished": "2023-08-11T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-08-25T02:06:18.470600"}, "descriptions": [{"lang": "en", "value": "GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/gitpython-developers/GitPython/pull/1609"}, {"url": "https://github.com/gitpython-developers/GitPython/commit/ca965ecc81853bca7675261729143f54e5bf4cdd"}, {"name": "FEDORA-2023-1ec4e542f9", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R/"}, {"name": "FEDORA-2023-26116901d9", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:31:52.387Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/gitpython-developers/GitPython/pull/1609", "tags": ["x_transferred"]}, {"url": "https://github.com/gitpython-developers/GitPython/commit/ca965ecc81853bca7675261729143f54e5bf4cdd", "tags": ["x_transferred"]}, {"name": "FEDORA-2023-1ec4e542f9", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R/"}, {"name": "FEDORA-2023-26116901d9", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH/"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitpython_project:gitpython:*:*:*:*:*:python:*:*", "matchCriteriaId": "06EB5A55-DB8A-4F86-9C77-F1FE464525FF", "versionEndExcluding": "3.1.32", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439."}, {"lang": "es", "value": "GitPython antes de 3.1.32 no bloquea opciones inseguras no multi en clone y clone_from. NOTA: este problema existe debido a una correcci\u00f3n incompleta de CVE-2022-24439.\n"}], "id": "CVE-2023-40267", "lastModified": "2023-11-07T04:20:10.150", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-11T07:15:09.647", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/gitpython-developers/GitPython/commit/ca965ecc81853bca7675261729143f54e5bf4cdd"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/gitpython-developers/GitPython/pull/1609"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:4991", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.3::el8", "impact": "low", "package": "automation-controller-0:4.3.13-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.3 for RHEL 8", "release_date": "2023-09-06T00:00:00Z"}, {"advisory": "RHSA-2023:4991", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.3::el9", "impact": "low", "package": "automation-controller-0:4.3.13-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.3 for RHEL 9", "release_date": "2023-09-06T00:00:00Z"}, {"advisory": "RHSA-2023:4971", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "impact": "low", "package": "automation-controller-0:4.4.3-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4971", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "impact": "low", "package": "python3x-gitpython-0:3.1.32-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4971", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "impact": "moderate", "package": "automation-controller-0:4.4.3-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:4971", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "impact": "low", "package": "python-gitpython-0:3.1.32-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2023:5931", "cpe": "cpe:/a:redhat:satellite:6.13::el8", "impact": "moderate", "package": "python-gitpython-0:3.1.32-1.el8pc", "product_name": "Red Hat Satellite 6.13 for RHEL 8", "release_date": "2023-10-19T00:00:00Z"}, {"advisory": "RHSA-2023:5931", "cpe": "cpe:/a:redhat:satellite_capsule:6.13::el8", "impact": "moderate", "package": "python-gitpython-0:3.1.32-1.el8pc", "product_name": "Red Hat Satellite 6.13 for RHEL 8", "release_date": "2023-10-19T00:00:00Z"}, {"advisory": "RHSA-2023:6818", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "impact": "moderate", "package": "python-gitpython-0:3.1.32-1.el8pc", "product_name": "Red Hat Satellite 6.14 for RHEL 8", "release_date": "2023-11-08T00:00:00Z"}, {"advisory": "RHSA-2023:6818", "cpe": "cpe:/a:redhat:satellite_capsule:6.14::el8", "impact": "moderate", "package": "python-gitpython-0:3.1.32-1.el8pc", "product_name": "Red Hat Satellite 6.14 for RHEL 8", "release_date": "2023-11-08T00:00:00Z"}], "bugzilla": {"description": "GitPython: Insecure non-multi options in clone and clone_from is not blocked", "id": "2231474", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2231474"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.", "An improper input validation vulnerability was found in GitPython. This flaw allows an attacker to inject a maliciously crafted remote URL into the clone command, possibly leading to remote code execution."], "name": "CVE-2023-40267", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Not affected", "impact": "low", "package_name": "gitpython", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:ansible_tower:3", "fix_state": "Affected", "impact": "low", "package_name": "gitpython", "product_name": "Red Hat Ansible Tower 3"}, {"cpe": "cpe:/a:redhat:certifications:1::el6", "fix_state": "Out of support scope", "impact": "low", "package_name": "redhat-certification-backend", "product_name": "Red Hat Certification for Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/a:redhat:certifications:1::el7", "fix_state": "Out of support scope", "impact": "low", "package_name": "redhat-certification", "product_name": "Red Hat Certification for Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:certifications:1::el8", "fix_state": "Affected", "impact": "low", "package_name": "redhat-certification", "product_name": "Red Hat Certification for Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:certifications:1::el9", "fix_state": "Affected", "impact": "low", "package_name": "redhat-certification", "product_name": "Red Hat Certification for Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Will not fix", "impact": "low", "package_name": "GitPython", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Will not fix", "impact": "low", "package_name": "GitPython", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.0", "fix_state": "Will not fix", "impact": "low", "package_name": "GitPython", "product_name": "Red Hat OpenStack Platform 17.0"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Affected", "impact": "low", "package_name": "GitPython", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Not affected", "impact": "low", "package_name": "GitPython", "product_name": "Red Hat OpenStack Platform 18.0"}], "public_date": "2023-08-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-40267\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-40267\nhttps://github.com/advisories/GHSA-pr76-5cm5-w9cj"], "statement": "In Red Hat Openstack, Red Hat Ansible Automation Platform, and Red Hat Certification Program, while the gitpython dependency is present, the affected codebase is not being used. \nRed Hat Satellite does not use the affected functions during runtime, therefore the possible impact is limited to Moderate.", "threat_severity": "Moderate", "upstream_fix": "git-python 3.1.32"}