You can use boolean logic (e.g. AND/OR/NOT) for complex search queries. For more help and examples, see the search documentation.
Search by package name:
my-package (implicit)
name:my-package (explicit)
Search by package filename:
my-package.ext (implicit)
filename:my-package.ext (explicit)
Search by package tag:
latest (implicit)
tag:latest (explicit)
Search by package version:
1.0.0 (implicit)
version:1.0.0 (explicit)
prerelease:true (prereleases)
prerelease:false (no prereleases)
Search by package architecture:
architecture:x86_64
Search by package distribution:
distribution:el
Search by package license:
license:MIT
Search by package format:
format:deb
Search by package status:
status:in_progress
Search by package file checksum:
checksum:5afba
Search by package security status:
severity:critical
Search by package vulnerabilities:
vulnerabilities:>1
vulnerabilities:<1000
Search by # of package downloads:
downloads:>8
downloads:<100
Search by package type:
type:binary
type:source
Search by package size (bytes):
size:>50000
size:<10000
Search by dependency name/version:
dependency:log4j
dependency:log4j=1.0.0
dependency:log4j>1.0.0
Search by uploaded date:
uploaded:>"1 day ago"
uploaded:<"August 14, 2022 EST"
Search by entitlement token (identifier):
entitlement:3lKPVJPosCsY
Search by policy violation:
policy_violated:true
deny_policy_violated:true
license_policy_violated:true
vulnerability_policy_violated:true
Search by repository:
repository:repo-name
Search queries for all Debian-specific (and related) package types
Search by component:
deb_component:unstable
Search queries for all Maven-specific (and related) package types
Search by group ID:
maven_group_id:org.apache
Search queries for all Docker-specific (and related) package types
Search by image digest:
docker_image_digest:sha256:7c5..6d4
(full hashref only)
Search by layer digest:
docker_layer_digest:sha256:4c4..ae4
(full hashref only)
Field type modifiers (depending on the type, you can influence behaviour)
For all queries, you can use:
~foo for negation
For string queries, you can use:
^foo to anchor to start of term
foo$ to anchor to end of term
foo*bar for fuzzy matching
For number/date or version queries, you can use:
>foo for values greater than
>=foo for values greater / equal
<foo for values less than
<=foo for values less / equal
Need a secure and centralised artifact repository to deliver Alpine,
Cargo,
CocoaPods,
Composer,
Conan,
Conda,
CRAN,
Dart,
Debian,
Docker,
Go,
Helm,
Hex,
LuaRocks,
Maven,
npm,
NuGet,
P2,
Python,
RedHat,
Ruby,
Swift,
Terraform,
Vagrant,
Raw & More packages?
Cloudsmith is the new standard in Package / Artifact Management and Software Distribution.
With support for all major package formats, you can trust us to manage your software supply chain.
myob
trufflehog
7ab713e713c2508c290c7be09ff…
One-liner (summary)
Description
| Status | Quarantined |
|---|---|
| GPG Signature | |
| Storage Region | Dublin, Ireland |
| Type | Binary (contains binaries and binary artifacts) |
| Uploaded At | 1 year ago |
| Uploaded By |
|
| Slug Id | trufflehog-jbxo |
| Unique Id | 7SSsytqvUPQj |
| Version (Raw) | 7ab713e713c2508c290c7be09ff7e865813743fa443d6b445d0d169721a68c32 |
| Version (Parsed) |
|
| docker-specific metadata | |
| Image Digest | sha256:7ab713e713c2508c290c7be09ff7e865813743fa443d6b445d0d169721a68c32 |
| Config Digest | sha256:b3e93d061110b398e6c0e6b35e6d76d27c5a7772e22550b8f503c748b86831f1 |
| V1 OCI Index Digest | sha256:1333a2ab9527aa4afac91d4025172520f0eace0da95fe1743a4fcf0ae816b2c6 |
| V1 Distribution (Signed) Digest | sha256:d8a0226d37570a6ee2c838408d1ad539309ec090ddcf5b1e09c8034d856228a2 |
| V1 OCI Digest | sha256:61bdaa61e7795ee992b17162267dfd8ec37b28359931fe76e3827557afd061b2 |
| V2 Distribution List Digest | sha256:da51602a606c6ea2b827b036903ede729fa029379fc4228554361f8db703f195 |
| V1 Distribution Digest | sha256:c6587bf5772b798aa7b632bfe92c22b91f859fb89af27b9d1d7236e4755459e1 |
| V2 Distribution Digest | sha256:7ab713e713c2508c290c7be09ff7e865813743fa443d6b445d0d169721a68c32 |
| extended metadata | |
| Manifest Type | V2 Distribution |
| Architecture | amd64 |
| Config | |
| Container | 04cfe8b2b53d6cf7b03e3c94cbb6a21f913bc15c866c59efa682e4c700ea54e2 |
| Container Config | |
| Created | 2024-04-23 13:32:52 UTC |
| Docker Version | 20.10.25 |
| Os | linux |
This package was uploaded with the following V2 Distribution manifest:
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"config": {
"mediaType": "application/vnd.docker.container.image.v1+json",
"size": 9468,
"digest": "sha256:00959ddf6e132069e399259570199a67645b8bd459b2230d75c4820a56e48fd7"
},
"layers": [
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 3408729,
"digest": "sha256:4abcf20661432fb2d719aaf90656f55c287f8ca915dc1c92ec14ff61e67fbaf8"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 619598,
"digest": "sha256:c3cdf40b8bda8e4ca4be0f5fa7f1d128907271efcbc72cbfc7c8b0f939ec25ea"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 12669619,
"digest": "sha256:ac499ccf2147611bc4388058b362c0bcc1ca63ec1a320a2f4ed5c0a9a76d08ea"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 240,
"digest": "sha256:416bfceb623eb12bf1c373489e0dba32f00fd4fef037b369538d190c615d49cd"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 3130184,
"digest": "sha256:76351c33299b900aa86b33176eac198fc861d4a7978046db4ae8b319e148088a"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 5169933,
"digest": "sha256:d4f8a2f644632164dfff044bf8d1c2db12a06d11cceb602981ffd11501b3825a"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 5756746,
"digest": "sha256:9c544b4afa17898e4bf8aec8bf2ccbc02835e6a464d330675d43776dc3147b22"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 909,
"digest": "sha256:cddfc56af4cf45e57ed4cb8fcde7c77ba9f01a7b1a17fb022ffe8d8aa2c2927c"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 1477,
"digest": "sha256:4ecbe9fbafdb964e8d9455420aa0ba2af4d9e9bde7e78b4822ef7bd29fc1def2"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 4646841,
"digest": "sha256:9890989414c71647b6510acc16b8bb1072735d25a2075e4cf0c44941344501fa"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 908,
"digest": "sha256:e9899e983b4c3ef281139c9c1d74f41dd21bd5cb4a7526c7dadb4e9f6570f87f"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 1271,
"digest": "sha256:1c89ab950bd4401e0c16ebc8e20a3a2ec3a02d25852e1caa8d5ea0df0a652ac6"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 4646843,
"digest": "sha256:3eb42147f35d359c55f998e724962c1527cb58b8e80a0ca621fb0f57673780f7"
}
]
}|
Digest:
sha256:4abcf20661432fb2d719aaf90656f55c287f8ca915dc1c92ec14ff61e67fbaf8
Command: /bin/sh -c #(nop) ADD file:37a76ec18f9887751cd8473744917d08b7431fc4085097bb6a09d81b41775473 in / |
3.3 MB | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: /bin/sh -c #(nop) CMD ["/bin/sh"] |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: ENV PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: ENV LANG=C.UTF-8 |
32 bytes | ||
|
Digest:
sha256:c3cdf40b8bda8e4ca4be0f5fa7f1d128907271efcbc72cbfc7c8b0f939ec25ea
Command: RUN /bin/sh -c set -eux; apk add --no-cache ca-certificates tzdata ; # buildkit |
605.1 KB | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: ENV GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: ENV PYTHON_VERSION=3.11.9 |
32 bytes | ||
|
Digest:
sha256:ac499ccf2147611bc4388058b362c0bcc1ca63ec1a320a2f4ed5c0a9a76d08ea
Command: RUN /bin/sh -c set -eux; apk add --no-cache --virtual .build-deps gnupg tar xz bluez-dev bzip2-dev dpkg-dev dpkg expat-dev findutils gcc gdbm-dev libc-dev libffi-dev libnsl-dev libtirpc-dev linux-headers make ncurses-dev openssl-dev pax-utils readline-dev sqlite-dev tcl-dev tk tk-dev util-linux-dev xz-dev zlib-dev ; wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; gpg --batch --verify python.tar.xz.asc python.tar.xz; gpgconf --kill all; rm -rf "$GNUPGHOME" python.tar.xz.asc; mkdir -p /usr/src/python; tar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; rm python.tar.xz; cd /usr/src/python; gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; ./configure --build="$gnuArch" --enable-loadable-sqlite-extensions --enable-optimizations --enable-option-checking=fatal --enable-shared --with-lto --with-system-expat --without-ensurepip ; nproc="$(nproc)"; EXTRA_CFLAGS="-DTHREAD_STACK_SIZE=0x100000"; LDFLAGS="${LDFLAGS:--Wl},--strip-all"; make -j "$nproc" "EXTRA_CFLAGS=${EXTRA_CFLAGS:-}" "LDFLAGS=${LDFLAGS:-}" "PROFILE_TASK=${PROFILE_TASK:-}" ; rm python; make -j "$nproc" "EXTRA_CFLAGS=${EXTRA_CFLAGS:-}" "LDFLAGS=${LDFLAGS:--Wl},-rpath='\$\$ORIGIN/../lib'" "PROFILE_TASK=${PROFILE_TASK:-}" python ; make install; cd /; rm -rf /usr/src/python; find /usr/local -depth \( \( -type d -a \( -name test -o -name tests -o -name idle_test \) \) -o \( -type f -a \( -name '*.pyc' -o -name '*.pyo' -o -name 'libpython*.a' \) \) \) -exec rm -rf '{}' + ; find /usr/local -type f -executable -not \( -name '*tkinter*' \) -exec scanelf --needed --nobanner --format '%n#p' '{}' ';' | tr ',' '\n' | sort -u | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' | xargs -rt apk add --no-network --virtual .python-rundeps ; apk del --no-network .build-deps; python3 --version # buildkit |
12.1 MB | ||
|
Digest:
sha256:416bfceb623eb12bf1c373489e0dba32f00fd4fef037b369538d190c615d49cd
Command: RUN /bin/sh -c set -eux; for src in idle3 pydoc3 python3 python3-config; do dst="$(echo "$src" | tr -d 3)"; [ -s "/usr/local/bin/$src" ]; [ ! -e "/usr/local/bin/$dst" ]; ln -svT "$src" "/usr/local/bin/$dst"; done # buildkit |
240 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: ENV PYTHON_PIP_VERSION=24.0 |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: ENV PYTHON_SETUPTOOLS_VERSION=65.5.1 |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: ENV PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/dbf0c85f76fb6e1ab42aa672ffca6f0a675d9ee4/public/get-pip.py |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: ENV PYTHON_GET_PIP_SHA256=dfe9fd5c28dc98b5ac17979a953ea550cec37ae1b47a5116007395bfacff2ab9 |
32 bytes | ||
|
Digest:
sha256:76351c33299b900aa86b33176eac198fc861d4a7978046db4ae8b319e148088a
Command: RUN /bin/sh -c set -eux; wget -O get-pip.py "$PYTHON_GET_PIP_URL"; echo "$PYTHON_GET_PIP_SHA256 *get-pip.py" | sha256sum -c -; export PYTHONDONTWRITEBYTECODE=1; python get-pip.py --disable-pip-version-check --no-cache-dir --no-compile "pip==$PYTHON_PIP_VERSION" "setuptools==$PYTHON_SETUPTOOLS_VERSION" ; rm -f get-pip.py; pip --version # buildkit |
3.0 MB | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: CMD ["python3"] |
32 bytes | ||
|
Digest:
sha256:d4f8a2f644632164dfff044bf8d1c2db12a06d11cceb602981ffd11501b3825a
Command: /bin/sh -c apk add --no-cache git less |
4.9 MB | ||
|
Digest:
sha256:9c544b4afa17898e4bf8aec8bf2ccbc02835e6a464d330675d43776dc3147b22
Command: /bin/sh -c pip install gitdb2==3.0.0 truffleHog==2.2.1 |
5.5 MB | ||
|
Digest:
sha256:cddfc56af4cf45e57ed4cb8fcde7c77ba9f01a7b1a17fb022ffe8d8aa2c2927c
Command: /bin/sh -c #(nop) COPY file:912eb83db77aaf6caccb13f8a2591f99a4c6ab0b2d05df68cef94a84b353376b in /entrypoint.sh |
909 bytes | ||
|
Digest:
sha256:4ecbe9fbafdb964e8d9455420aa0ba2af4d9e9bde7e78b4822ef7bd29fc1def2
Command: /bin/sh -c #(nop) COPY file:32b341b97cc7a6ce285b7f7d2ce7478c94abb5bcb5007621f352005e85aa69b5 in /regex.json |
1.4 KB | ||
|
Digest:
sha256:9890989414c71647b6510acc16b8bb1072735d25a2075e4cf0c44941344501fa
Command: /bin/sh -c #(nop) COPY file:89eab4c1897dd3e64e5c0467069fd2dadc697eefd898d0eaf518d0428be16b2c in /bin/git-credential-myob |
4.4 MB | ||
|
Digest:
sha256:e9899e983b4c3ef281139c9c1d74f41dd21bd5cb4a7526c7dadb4e9f6570f87f
Command: /bin/sh -c chmod +x /entrypoint.sh |
908 bytes | ||
|
Digest:
sha256:1c89ab950bd4401e0c16ebc8e20a3a2ec3a02d25852e1caa8d5ea0df0a652ac6
Command: /bin/sh -c addgroup -S nonroot && adduser -S nonroot -G nonroot |
1.2 KB | ||
|
Digest:
sha256:3eb42147f35d359c55f998e724962c1527cb58b8e80a0ca621fb0f57673780f7
Command: /bin/sh -c chown -R nonroot:nonroot /bin/git-credential-myob |
4.4 MB | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: /bin/sh -c #(nop) USER nonroot |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: /bin/sh -c #(nop) ENTRYPOINT ["/entrypoint.sh"] |
32 bytes |
|
|
trufflehog |
0 |
|
||
|
|
trufflehog |
1 |
|
||
|
|
trufflehog |
0 |
|
||
|
|
trufflehog |
2 |
|
||
|
|
trufflehog |
1 |
|
||
|
|
trufflehog |
4 |
|
||
|
|
trufflehog |
1 |
|
||
|
|
trufflehog |
0 |
|
||
|
|
trufflehog |
1 |
|
||
|
|
trufflehog |
138 |
|
||
|
|
trufflehog |
0 |
|
||
|
|
trufflehog |
4 |
|
||
|
|
trufflehog |
0 |
|
||
|
|
trufflehog |
0 |
|
||
|
|
trufflehog |
0 |
|
||
|
|
trufflehog |
0 |
|
||
|
|
trufflehog |
22 |
|
||
|
|
trufflehog |
0 |
|
||
|
|
trufflehog |
1 |
|
||
|
|
trufflehog |
156 |
|
Last scanned
1 year ago
Scan result
Vulnerable
Vulnerability count
7
Max. severity
Critical| Target: | . (alpine 3.19.1) | |
| LOW |
CVE-2024-2511: openssl: Unbounded memory growth with session handling in TLSv1.3Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue.Package Name: libcrypto3 Installed Version: 3.1.4-r5 Fixed Version: 3.1.4-r6 References: access.redhat.com github.com github.com github.com github.openssl.org nvd.nist.gov www.cve.org www.openssl.org www.openssl.org |
|
| LOW |
CVE-2024-2511: openssl: Unbounded memory growth with session handling in TLSv1.3Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue.Package Name: libssl3 Installed Version: 3.1.4-r5 Fixed Version: 3.1.4-r6 References: access.redhat.com github.com github.com github.com github.openssl.org nvd.nist.gov www.cve.org www.openssl.org www.openssl.org |
|
| Target: | Python | |
| CRITICAL |
CVE-2023-40267: GitPython: Insecure non-multi options in clone and clone_from is not blockedGitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.Package Name: GitPython Installed Version: 3.0.6 Fixed Version: 3.1.32 References: access.redhat.com github.com github.com github.com github.com github.com github.com lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov ubuntu.com www.cve.org |
|
| HIGH |
CVE-2022-24439: GitPython: improper user input validation leads into a RCEAll versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.Package Name: GitPython Installed Version: 3.0.6 Fixed Version: 3.1.30 References: access.redhat.com github.com github.com github.com github.com github.com github.com lists.debian.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov security.gentoo.org security.snyk.io ubuntu.com www.cve.org |
|
| HIGH |
CVE-2023-40590: gitpython: improper executable lookup on windowsGitPython is a python library used to interact with Git repositories. When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment. GitPython defaults to use the `git` command, if a user runs GitPython from a repo has a `git.exe` or `git` executable, that program will be run instead of the one in the user's `PATH`. This is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But probably people using GitPython usually run it from the CWD of a repo. An attacker can trick a user to download a repository with a malicious `git` executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands. There is no fix currently available for windows users, however there are a few mitigations. 1: Default to an absolute path for the git program on Windows, like `C:\\Program Files\\Git\\cmd\\git.EXE` (default git path installation). 2: Require users to set the `GIT_PYTHON_GIT_EXECUTABLE` environment variable on Windows systems. 3: Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repo, or set the `GIT_PYTHON_GIT_EXECUTABLE` env var to an absolute path. 4: Resolve the executable manually by only looking into the `PATH` environment variable.Package Name: GitPython Installed Version: 3.0.6 Fixed Version: 3.1.33 References: access.redhat.com docs.python.org github.com github.com github.com github.com github.com github.com github.com nvd.nist.gov www.cve.org |
|
| HIGH |
CVE-2024-22190: Untrusted search path under some conditions on Windows allows arbitrary code executionGitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository. This issue has been patched in version 3.1.41.Package Name: GitPython Installed Version: 3.0.6 Fixed Version: 3.1.41 References: github.com github.com github.com github.com github.com nvd.nist.gov |
|
| MEDIUM |
CVE-2023-41040: GitPython: Blind local file inclusionGitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the `.git` directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the `.git` directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175. That code joins the base directory with a user given string without checking if the final path is located outside the base directory. This vulnerability cannot be used to read the contents of files but could in theory be used to trigger a denial of service for the program. This issue has not yet been addressed.Package Name: GitPython Installed Version: 3.0.6 Fixed Version: 3.1.37 References: access.redhat.com github.com github.com github.com github.com github.com github.com github.com lists.debian.org nvd.nist.gov www.cve.org |
|
