Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2023-41040
Modified
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-30 Aug, 2023 | 22:15
Updated At-03 Nov, 2025 | 22:16

GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the `.git` directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the `.git` directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175. That code joins the base directory with a user given string without checking if the final path is located outside the base directory. This vulnerability cannot be used to read the contents of files but could in theory be used to trigger a denial of service for the program. This issue has been addressed in version 3.1.37.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.0MEDIUM
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Type: Secondary
Version: 3.1
Base score: 4.0
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Type: Primary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
CPE Matches
gitpython_project
gitpython_project
>>gitpython>>Versions up to 3.1.34(inclusive)
cpe:2.3:a:gitpython_project:gitpython:*:*:*:*:*:python:*:*
Weaknesses
CWE IDTypeSource
CWE-22Secondarysecurity-advisories@github.com
CWE-22Secondarynvd@nist.gov
CWE ID: CWE-22
Type: Secondary
Source: security-advisories@github.com
CWE ID: CWE-22
Type: Secondary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175security-advisories@github.com
Product
https://github.com/gitpython-developers/GitPython/commit/74e55ee4544867e1bd976b7df5a45869ee397b0bsecurity-advisories@github.com
N/A
https://github.com/gitpython-developers/GitPython/commit/e98f57b81f792f0f5e18d33ee658ae395f9aa3c4security-advisories@github.com
N/A
https://github.com/gitpython-developers/GitPython/pull/1672security-advisories@github.com
N/A
https://github.com/gitpython-developers/GitPython/releases/tag/3.1.37security-advisories@github.com
N/A
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-cwvm-v4w8-q58csecurity-advisories@github.com
Exploit
Vendor Advisory
https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2023-165.yamlsecurity-advisories@github.com
N/A
https://lists.debian.org/debian-lts-announce/2023/09/msg00036.htmlsecurity-advisories@github.com
N/A
https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175af854a3a-2127-422b-91ae-364da2661108
Product
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-cwvm-v4w8-q58caf854a3a-2127-422b-91ae-364da2661108
Exploit
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/09/msg00036.htmlaf854a3a-2127-422b-91ae-364da2661108
N/A
https://lists.debian.org/debian-lts-announce/2024/10/msg00030.htmlaf854a3a-2127-422b-91ae-364da2661108
N/A
Hyperlink: https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175
Source: security-advisories@github.com
Resource:
Product
Hyperlink: https://github.com/gitpython-developers/GitPython/commit/74e55ee4544867e1bd976b7df5a45869ee397b0b
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/gitpython-developers/GitPython/commit/e98f57b81f792f0f5e18d33ee658ae395f9aa3c4
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/gitpython-developers/GitPython/pull/1672
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/gitpython-developers/GitPython/releases/tag/3.1.37
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-cwvm-v4w8-q58c
Source: security-advisories@github.com
Resource:
Exploit
Vendor Advisory
Hyperlink: https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2023-165.yaml
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://lists.debian.org/debian-lts-announce/2023/09/msg00036.html
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Product
Hyperlink: https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-cwvm-v4w8-q58c
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Vendor Advisory
Hyperlink: https://lists.debian.org/debian-lts-announce/2023/09/msg00036.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://lists.debian.org/debian-lts-announce/2024/10/msg00030.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Change History
0Changes found
Details not found