Cloudsmith - Repositories - myob (myob) - appsec (appsec) - trufflehog

Package Search Help

You can use boolean logic (e.g. AND/OR/NOT) for complex search queries. For more help and examples, see the search documentation.

Search by package name:
my-package _(implicit)
name:my-package _(explicit)

Search by package filename:
my-package.ext _(implicit)
filename:my-package.ext _(explicit)

Search by package tag:
latest _(implicit)
tag:latest _(explicit)

Search by package version:
1.0.0 _(implicit)
version:1.0.0 _(explicit)
prerelease:true _{(prereleases)}
prerelease:false _{(no prereleases)}

Search by package architecture:
architecture:x86_64

Search by package distribution:
distribution:el

Search by package license:
license:MIT

Search by package format:
format:deb

Search by package status:
status:in_progress

Search by package file checksum:
checksum:5afba

Search by package security status:
severity:critical

Search by package vulnerabilities:
vulnerabilities:>1
vulnerabilities:<1000

Search by # of package downloads:
downloads:>8
downloads:<100

Search by package type:
type:binary
type:source

Search by package size (bytes):
size:>50000
size:<10000

Search by dependency name/version:
dependency:log4j
dependency:log4j=1.0.0
dependency:log4j>1.0.0

Search by uploaded date:
uploaded:>"1 day ago"
uploaded:<"August 14, 2022 EST"

Search by entitlement token (identifier):
entitlement:3lKPVJPosCsY

Search by policy violation:
policy_violated:true
deny_policy_violated:true
license_policy_violated:true
vulnerability_policy_violated:true

Search by repository:
repository:repo-name

Search queries for all Debian-specific (and related) package types

Search by component:
deb_component:unstable

Search queries for all Maven-specific (and related) package types

Search by group ID:
maven_group_id:org.apache

Search queries for all Docker-specific (and related) package types

Search by image digest:
docker_image_digest:sha256:7c5..6d4
(full hashref only)

Search by layer digest:
docker_layer_digest:sha256:4c4..ae4
(full hashref only)

Field type modifiers (depending on the type, you can influence behaviour)

For all queries, you can use:
~foo for negation

For string queries, you can use:
^foo to anchor to start of term
foo$ to anchor to end of term
foo*bar for fuzzy matching

For number/date or version queries, you can use:
>foo for values greater than
>=foo for values greater / equal
<foo for values less than
<=foo for values less / equal

Need a secure and centralised artifact repository to deliver Alpine, Cargo, CocoaPods, Composer, Conan, Conda, CRAN, Dart, Debian, Docker, Go, Helm, Hex, LuaRocks, Maven, npm, NuGet, P2, Python, RedHat, Ruby, Swift, Terraform, Vagrant, Raw & More packages?

Cloudsmith is the new standard in Package / Artifact Management and Software Distribution.

With support for all major package formats, you can trust us to manage your software supply chain.

Start My Free Trial

Set Me Up

Public — myob / appsec

public appsec packages

trufflehog 8dc11cf78f5cad39708ea6bd29a…

Download

One-liner (summary)

A certifiably-awesome package curated by ops-arch bot, hosted by Cloudsmith.

Description

A certifiably-awesome package curated by ops-arch bot, hosted by Cloudsmith.

License

Unknown

Size

42.3 MB

Downloads

Tags

image amd64 linux d4e3958e862b97cf110…

Status	Completed
Checksum (MD5)	c2c616d27b477f35031b0d33e0f574f9
Checksum (SHA-1)	9ac2ffb2ebf99bf8ea4d6c4d67df7cc34ba714c1
Checksum (SHA-256)	8dc11cf78f5cad39708ea6bd29a9edf9c998a8e713d75bab302f5d53aa1501a7
Checksum (SHA-512)	907fb1fca7ea8f00e504d20c4bdb6a4032e49d041735a3c7cb3ebf6436d6f031a6…
GPG Signature	Download
GPG Fingerprint	b37cb02108d5d7b2c7269a09acf5c48b429db520
Storage Region	Dublin, Ireland
Type	Binary (contains binaries and binary artifacts)
Uploaded At	7 months ago
Uploaded By
Slug Id	trufflehog-vfbl
Unique Id	j8szWpthTirz
Version (Raw)	8dc11cf78f5cad39708ea6bd29a9edf9c998a8e713d75bab302f5d53aa1501a7
Version (Parsed)	Type: Unknown
	docker-specific metadata
Image Digest	sha256:8dc11cf78f5cad39708ea6bd29a9edf9c998a8e713d75bab302f5d53aa1501a7
Config Digest	sha256:2015410751f33d911766332280cce1e2605528cd635fc2b1a43fe043fa9beb21
V1 OCI Index Digest	sha256:7f6da4b7c0500ddc1ed39a711f715035c3a464f23899df1f0d8efb57a03ebf8e
V1 Distribution (Signed) Digest	sha256:7db33de05dabe869ea72a976559e6e986477c28dc52ed77ca3d9c29c9ae5a487
V1 OCI Digest	sha256:c5597bb2229012c90bb9adc446d7ce95384f216920b1304b95554f50136955e1
V2 Distribution List Digest	sha256:e1bc8feaa13e1097147a0daa63369d7d62d54a1d51f69c2e3894af3a145bfb23
V1 Distribution Digest	sha256:88e22a3105d9a8a2700f0e535c1d46b982f4b9f42b65a129a81d7d50de5a637d
V2 Distribution Digest	sha256:8dc11cf78f5cad39708ea6bd29a9edf9c998a8e713d75bab302f5d53aa1501a7
	extended metadata
Manifest Type	V2 Distribution
Architecture	amd64
Config	Args Escaped Entrypoint /entrypoint.sh Env GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D \| LANG=C.UTF-8 \| PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \| PYTHON_VERSION=3.11.10 User nonroot
Created	2024-09-30 02:32:01 UTC
Os	linux

This package was uploaded with the following V2 Distribution manifest:

{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
   "config": {
      "mediaType": "application/vnd.docker.container.image.v1+json",
      "size": 8007,
      "digest": "sha256:af86fcf4f073a66b3a8fb15984f7618dda7bb724a63a2d8f75ceff13123b3de6"
   },
   "layers": [
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 3623807,
         "digest": "sha256:43c4264eed91be63b206e17d93e75256a6097070ce643c5e8f0379998b44f170"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 455115,
         "digest": "sha256:5169ad936bfa24a9f5aa0eaaa43d5ab998bc01a343374b44e100dd7292108e6c"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 15807391,
         "digest": "sha256:857dd066c29189c8a67e6d7a0fa904f9d1c68cfff765b4c7c44c0a39fdc08fab"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 249,
         "digest": "sha256:fafcb407c7d8d7196b617edf896c36b5b6c670f082d3e0a47bc4939ee0128416"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 5936830,
         "digest": "sha256:ef1618be875558b9f66fc0f567dd01db11fb293cc68beef34ac21ff2c585c093"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 8935522,
         "digest": "sha256:edadd3112018833eff439a8a8e745314554be7cb1b0ea9bc81869486ae878897"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 452,
         "digest": "sha256:e0f958151c4c7de023293a3936b9c29a390b1b30bb121e0d5f55f545023bead3"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 995,
         "digest": "sha256:1850fac80860b18521e9460ba133e03ddbfbf724f8418a302a8a9760a6172eea"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 935,
         "digest": "sha256:b0b62ee870c4d7d96726c206e8f7f057543c4915f11388a86558fe9eda2ce0cb"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 1479,
         "digest": "sha256:6da56bc45dd64853735787b8bb7f8c863bfad275c738c6c6039adc160bd3ad22"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 4784862,
         "digest": "sha256:9c0ad73859805635c73981c8e90bf2152eedf4008b41aa0e943df7200ec2f697"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 967,
         "digest": "sha256:6f28f64e4c47b6714dc4203d7fa1d73a8292299a27fc4c132095d7fb91017ecb"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 4784931,
         "digest": "sha256:37a5aa1814881b7ba6547ef06e68b421a0e0befdcc73039d0702d1b4a055ea47"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 966,
         "digest": "sha256:04c57950f174715471950c54ad287d85889f6b08ec7a5e7165a708ead1ce92f9"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 162,
         "digest": "sha256:a746ac63a35cc204218a7a74b577aaf441dbe93cffb04f23be26aca5eeb0e0e4"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 141,
         "digest": "sha256:e3db456d0728b4dab293f1a722016e92b2f54f434cc47f06e370ca63c5d294f6"
      }
   ]
}

	Digest: sha256:43c4264eed91be63b206e17d93e75256a6097070ce643c5e8f0379998b44f170 Command: /bin/sh -c #(nop) ADD file:5758b97d8301c84a204a6e516241275d785a7cade40b2fb99f01fe122482e283 in /	3.5 MB
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: /bin/sh -c #(nop) CMD ["/bin/sh"]	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ENV PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ENV LANG=C.UTF-8	32 bytes
	Digest: sha256:5169ad936bfa24a9f5aa0eaaa43d5ab998bc01a343374b44e100dd7292108e6c Command: RUN /bin/sh -c set -eux; apk add --no-cache ca-certificates tzdata ; # buildkit	444.4 KB
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ENV GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ENV PYTHON_VERSION=3.11.10	32 bytes
	Digest: sha256:857dd066c29189c8a67e6d7a0fa904f9d1c68cfff765b4c7c44c0a39fdc08fab Command: RUN /bin/sh -c set -eux; apk add --no-cache --virtual .build-deps gnupg tar xz bluez-dev bzip2-dev dpkg-dev dpkg expat-dev findutils gcc gdbm-dev libc-dev libffi-dev libnsl-dev libtirpc-dev linux-headers make ncurses-dev openssl-dev pax-utils readline-dev sqlite-dev tcl-dev tk tk-dev util-linux-dev xz-dev zlib-dev ; wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]}/Python-$PYTHON_VERSION.tar.xz"; wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]}/Python-$PYTHON_VERSION.tar.xz.asc"; GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; gpg --batch --verify python.tar.xz.asc python.tar.xz; gpgconf --kill all; rm -rf "$GNUPGHOME" python.tar.xz.asc; mkdir -p /usr/src/python; tar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; rm python.tar.xz; cd /usr/src/python; gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; ./configure --build="$gnuArch" --enable-loadable-sqlite-extensions $(test "$gnuArch" != 'riscv64-linux-musl' && echo '--enable-optimizations') --enable-option-checking=fatal --enable-shared --with-lto --with-system-expat --with-ensurepip ; nproc="$(nproc)"; EXTRA_CFLAGS="-DTHREAD_STACK_SIZE=0x100000"; LDFLAGS="${LDFLAGS:--Wl},--strip-all"; make -j "$nproc" "EXTRA_CFLAGS=${EXTRA_CFLAGS:-}" "LDFLAGS=${LDFLAGS:-}" "PROFILE_TASK=${PROFILE_TASK:-}" ; rm python; make -j "$nproc" "EXTRA_CFLAGS=${EXTRA_CFLAGS:-}" "LDFLAGS=${LDFLAGS:--Wl},-rpath='\$\$ORIGIN/../lib'" "PROFILE_TASK=${PROFILE_TASK:-}" python ; make install; cd /; rm -rf /usr/src/python; find /usr/local -depth $ \( -type d -a \( -name test -o -name tests -o -name idle_test $ \) -o $ -type f -a \( -name '.pyc' -o -name '.pyo' -o -name 'libpython.a' $ \) \) -exec rm -rf '{}' + ; find /usr/local -type f -executable -not $ -name 'tkinter*' $ -exec scanelf --needed --nobanner --format '%n#p' '{}' ';' \| tr ',' '\n' \| sort -u \| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \| xargs -rt apk add --no-network --virtual .python-rundeps ; apk del --no-network .build-deps; export PYTHONDONTWRITEBYTECODE=1; python3 --version; pip3 install --disable-pip-version-check --no-cache-dir --no-compile 'setuptools==65.5.1' wheel ; pip3 --version # buildkit	15.1 MB
	Digest: sha256:fafcb407c7d8d7196b617edf896c36b5b6c670f082d3e0a47bc4939ee0128416 Command: RUN /bin/sh -c set -eux; for src in idle3 pip3 pydoc3 python3 python3-config; do dst="$(echo "$src" \| tr -d 3)"; [ -s "/usr/local/bin/$src" ]; [ ! -e "/usr/local/bin/$dst" ]; ln -svT "$src" "/usr/local/bin/$dst"; done # buildkit	249 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: CMD ["python3"]	32 bytes
	Digest: sha256:ef1618be875558b9f66fc0f567dd01db11fb293cc68beef34ac21ff2c585c093 Command: RUN /bin/sh -c apk add --no-cache git less # buildkit	5.7 MB
	Digest: sha256:edadd3112018833eff439a8a8e745314554be7cb1b0ea9bc81869486ae878897 Command: RUN /bin/sh -c pip install gitdb2==3.0.0 truffleHog==2.2.1 setuptools[core]==70.0.0 # buildkit	8.5 MB
	Digest: sha256:e0f958151c4c7de023293a3936b9c29a390b1b30bb121e0d5f55f545023bead3 Command: RUN /bin/sh -c addgroup -S nonroot # buildkit	452 bytes
	Digest: sha256:1850fac80860b18521e9460ba133e03ddbfbf724f8418a302a8a9760a6172eea Command: RUN /bin/sh -c adduser -D -G nonroot nonroot # buildkit	995 bytes
	Digest: sha256:b0b62ee870c4d7d96726c206e8f7f057543c4915f11388a86558fe9eda2ce0cb Command: COPY entrypoint.sh /entrypoint.sh # buildkit	935 bytes
	Digest: sha256:6da56bc45dd64853735787b8bb7f8c863bfad275c738c6c6039adc160bd3ad22 Command: COPY regex.json /regex.json # buildkit	1.4 KB
	Digest: sha256:9c0ad73859805635c73981c8e90bf2152eedf4008b41aa0e943df7200ec2f697 Command: COPY /bin/git-credential-myob /bin/git-credential-myob # buildkit	4.6 MB
	Digest: sha256:6f28f64e4c47b6714dc4203d7fa1d73a8292299a27fc4c132095d7fb91017ecb Command: RUN /bin/sh -c chmod +x /entrypoint.sh # buildkit	967 bytes
	Digest: sha256:37a5aa1814881b7ba6547ef06e68b421a0e0befdcc73039d0702d1b4a055ea47 Command: RUN /bin/sh -c chmod g+x /bin/git-credential-myob # buildkit	4.6 MB
	Digest: sha256:04c57950f174715471950c54ad287d85889f6b08ec7a5e7165a708ead1ce92f9 Command: RUN /bin/sh -c chmod g+x /entrypoint.sh # buildkit	966 bytes
	Digest: sha256:a746ac63a35cc204218a7a74b577aaf441dbe93cffb04f23be26aca5eeb0e0e4 Command: RUN /bin/sh -c mkdir /tmp/truffle # buildkit	162 bytes
	Digest: sha256:e3db456d0728b4dab293f1a722016e92b2f54f434cc47f06e370ca63c5d294f6 Command: RUN /bin/sh -c chown -R nonroot:nonroot /tmp/truffle # buildkit	141 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: USER nonroot	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ENTRYPOINT ["/entrypoint.sh"]	32 bytes

trufflehog c7d4b5f85dde2cb706b7707c80e512320b245fa…	image amd64 linux bbc3634cbda4bd21811… 39.7 MB — 1 year ago	0
trufflehog aaca6fc5daa2e25b5f77dc1cfaf5a2c93bb7504…	image amd64 linux 38.2 MB — 1 year ago	138
trufflehog dfce8d647512e176219f4309862d2391db368c1…	image amd64 linux ab14b038c5a4aaa3185… 35.4 MB — 2 years, 4 months ago	47125
trufflehog 94bec3ab628ef799f67b2906bde4b0be28b4b00…	image amd64 linux 3c28f724ac72b123e4b… 37.5 MB — 2 years, 5 months ago	6
trufflehog cf221f9310fbb98a6a7ccc7a59eb8c9a3c380fa…	image amd64 linux f8b184baeb745125423… 37.6 MB — 2 years, 5 months ago	29
trufflehog ee8e9a0bd504644cf179fe6eef1269d616362a1…	image amd64 linux eac8b5e37e1b95bca72… 37.6 MB — 2 years, 5 months ago	0
trufflehog b5522189acbaf565f89685aa84e1ac1a211d244…	image amd64 linux bcffeb7a4c934c31262… 31.6 MB — 2 years, 7 months ago	0
trufflehog ac924a40bfe922e559ef5cb051fbc62072573ca…	image amd64 linux d077ceca34b1fd428dc… 31.6 MB — 2 years, 7 months ago	1
trufflehog db4792728038cd9febfd26d3af494bd393e4f11…	image amd64 linux 83f90895f5697f58080… 31.6 MB — 2 years, 10 months ago	0
trufflehog d096fed20c85a633184ce642f96618c3c9a7df5…	image amd64 linux 8bb36aa392705041706… a8cca377f0bf953c3b2… 45e5d5b990eb26a4308… 31.6 MB — 2 years, 10 months ago	0
trufflehog 8dc11cf78f5cad39708ea6bd29a9edf9c998a8e…	image amd64 linux d4e3958e862b97cf110… 42.3 MB — 7 months ago	0
trufflehog 6277efabe0fece54c3ba75d7866287c99b4cce5…	image amd64 linux ef9812c6ec02cd85d22… preprod 42.3 MB — 7 months ago	4
trufflehog 7dc481950b27e7e7466b710c1cb504cfc0d88d4…	image amd64 linux latest 42.3 MB — 8 months, 4 weeks ago	35088
trufflehog 3568c89c024ac974a3e9abdeb7654ecfee61e20…	image amd64 linux 42.3 MB — 8 months, 4 weeks ago	0
trufflehog 846a4b4fe329209770e8b7127bfae86418b322a…	image amd64 linux 6a0e4f691d5346c1bb3… 108.4 MB — 8 months, 4 weeks ago	0
trufflehog 502dbf8e9ceb4fa08388ea7fdededa028642d52…	image amd64 linux 4c2bbf733f27e3acee5… 39.2 MB — 8 months, 4 weeks ago	0
trufflehog 1174e804b216d3279f10e3725748f5c53eac5ab…	image amd64 linux 0d8a928c5595ccc5aa4… 38.5 MB — 11 months, 1 week ago	0
trufflehog 70315e5910f629da5f152cc34e9996eee67da94…	image amd64 linux ee383c5b98096d89ee5… 38.5 MB — 11 months, 2 weeks ago	0
trufflehog 854c45dd9bc901405206ad319ec685164cde793…	image amd64 linux 0ab211a9f0c3f7bd3c0… 38.5 MB — 1 year ago	0
trufflehog 7ab713e713c2508c290c7be09ff7e865813743f…	image amd64 linux 0526b281abaf386ae40… 38.2 MB — 1 year ago	0

Only packages within the same repository are displayed. The current package you're viewing is highlighted.

Last scanned

7 months ago

Scan result

Vulnerable

Vulnerability count

Max. severity

Critical

Target:	Python
CRITICAL	CVE-2023-40267: GitPython: Insecure non-multi options in clone and clone_from is not blocked GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439. Package Name: GitPython Installed Version: 3.0.6 Fixed Version: 3.1.32 References: access.redhat.com github.com github.com github.com github.com github.com github.com lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov ubuntu.com www.cve.org
HIGH	CVE-2022-24439: GitPython: improper user input validation leads into a RCE All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. Package Name: GitPython Installed Version: 3.0.6 Fixed Version: 3.1.30 References: access.redhat.com github.com github.com github.com github.com github.com github.com github.com lists.debian.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov security.gentoo.org security.snyk.io ubuntu.com www.cve.org
HIGH	CVE-2023-40590: gitpython: improper executable lookup on windows GitPython is a python library used to interact with Git repositories. When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment. GitPython defaults to use the `git` command, if a user runs GitPython from a repo has a `git.exe` or `git` executable, that program will be run instead of the one in the user's `PATH`. This is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But probably people using GitPython usually run it from the CWD of a repo. An attacker can trick a user to download a repository with a malicious `git` executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands. There is no fix currently available for windows users, however there are a few mitigations. 1: Default to an absolute path for the git program on Windows, like `C:\\Program Files\\Git\\cmd\\git.EXE` (default git path installation). 2: Require users to set the `GIT_PYTHON_GIT_EXECUTABLE` environment variable on Windows systems. 3: Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repo, or set the `GIT_PYTHON_GIT_EXECUTABLE` env var to an absolute path. 4: Resolve the executable manually by only looking into the `PATH` environment variable. Package Name: GitPython Installed Version: 3.0.6 Fixed Version: 3.1.33 References: access.redhat.com docs.python.org github.com github.com github.com github.com github.com github.com github.com nvd.nist.gov www.cve.org
HIGH	CVE-2024-22190: Untrusted search path under some conditions on Windows allows arbitrary code execution GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository. This issue has been patched in version 3.1.41. Package Name: GitPython Installed Version: 3.0.6 Fixed Version: 3.1.41 References: github.com github.com github.com github.com github.com nvd.nist.gov
MEDIUM	CVE-2023-41040: GitPython: Blind local file inclusion GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the `.git` directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the `.git` directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175. That code joins the base directory with a user given string without checking if the final path is located outside the base directory. This vulnerability cannot be used to read the contents of files but could in theory be used to trigger a denial of service for the program. This issue has been addressed in version 3.1.37. Package Name: GitPython Installed Version: 3.0.6 Fixed Version: 3.1.37 References: access.redhat.com github.com github.com github.com github.com github.com github.com github.com github.com lists.debian.org nvd.nist.gov www.cve.org
Target:	bin/git-credential-myob
MEDIUM	CVE-2023-45288: golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. Package Name: golang.org/x/net Installed Version: v0.17.0 Fixed Version: 0.23.0 References: www.openwall.com www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org go.dev go.dev groups.google.com kb.cert.org linux.oracle.com linux.oracle.com lists.fedoraproject.org lists.fedoraproject.org nowotarski.info nowotarski.info nvd.nist.gov pkg.go.dev security.netapp.com security.netapp.com ubuntu.com www.cve.org www.kb.cert.org

These instructions assume you have setup the repository first (or read it).

To pull trufflehog @ reference/tag d4e3958e862b97cf1101c98614f84820e176c730:

docker pull docker.myob.com/appsec/trufflehog:d4e3958e862b97cf1101c98614f84820e176c730

You can also pull the latest version of this image (if it exists):

docker pull docker.myob.com/appsec/trufflehog:latest

To refer to this image after pulling in a Dockerfile, specify the following:

FROM docker.myob.com/appsec/trufflehog:d4e3958e862b97cf1101c98614f84820e176c730

Still stuck? Need help? Don't panic. Just contact us for help (even if you're not a customer).

Previous Version: 6277efabe0fece54c3b…

Next Version: d096fed20c85a633184…

trufflehog 8dc11cf78f5cad39708ea6bd29a…

One-liner (summary)

Description

License

Size

Downloads

Tags

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

Last scanned

Scan result

Vulnerability count

Max. severity

CVE-2023-40267: GitPython: Insecure non-multi options in clone and clone_from is not blocked

CVE-2022-24439: GitPython: improper user input validation leads into a RCE

CVE-2023-40590: gitpython: improper executable lookup on windows

CVE-2024-22190: Untrusted search path under some conditions on Windows allows arbitrary code execution

CVE-2023-41040: GitPython: Blind local file inclusion

CVE-2023-45288: golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS