CVE-2023-40590: 
Python vulnerability analysis and mitigation

GitPython, a Python library used to interact with Git repositories, was found to contain a vulnerability (CVE-2023-40590) that affects Windows systems. The vulnerability was discovered and disclosed on August 26, 2023, affecting all versions up to and including 3.1.32. The issue stems from how Python and Windows handle program resolution in the current working directory before checking the PATH environment (GitHub Advisory).

The vulnerability occurs when GitPython defaults to using the 'git' command. On Windows systems, when resolving a program, Python first looks in the current working directory before checking the PATH environment. This means if a user runs GitPython from a directory containing a malicious 'git.exe' or 'git' executable, that program will be executed instead of the legitimate Git installation in the user's PATH. The vulnerability has been assigned a CVSS v3.1 score of 7.8 (High), with a vector string of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (GitHub Advisory, NVD).

The vulnerability allows an attacker to execute arbitrary code on Windows systems by tricking a user into downloading a repository containing a malicious git executable and running GitPython from that directory. This could lead to complete system compromise within the context of the user running the Python code (Security Online).

Several mitigation strategies have been proposed: 1) Default to an absolute path for the git program on Windows (e.g., 'C:\Program Files\Git\cmd\git.EXE'), 2) Set the GITPYTHONGIT_EXECUTABLE environment variable on Windows systems to specify the absolute path to the git executable, 3) Never run GitPython from an untrusted repository, 4) Resolve the executable manually by only looking into the PATH environment variable (GitHub Advisory).