CVE-2023-40590

CVSS 3.1 Score 7.8 of 10 (high)

Details

Published Aug 28, 2023
Updated: Sep 5, 2023
CWE ID 426

Summary

CVE-2023-40590 is a vulnerability affecting GitPython, a Python library used for interacting with Git repositories. On Windows systems, GitPython can inadvertently execute a malicious `git.exe` or `git` executable located in the current working directory instead of the expected one in the `PATH`. This issue, which primarily affects Windows users, can be exploited by an attacker who tricks a user into downloading a repository containing a malicious Git executable. At present, there is no fix available for this issue on Windows, but users can implement several mitigations, such as specifying an absolute path for the Git executable, setting the `GIT_PYTHON_GIT_EXECUTABLE` environment variable, and manually resolving the executable from the `PATH`. It is crucial for users to be cautious and not run GitPython from untrusted repositories.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share