CVE-2024-22190: 
Python vulnerability analysis and mitigation

GitPython, a Python library used to interact with Git repositories, contains a vulnerability (CVE-2024-22190) that is an incomplete fix for CVE-2023-40590. The issue affects versions up to 3.1.40 and was discovered in January 2024. On Windows systems, GitPython uses an untrusted search path when using a shell to run git commands and when running bash.exe to interpret hooks. This vulnerability allows a malicious git.exe or bash.exe to be executed from an untrusted repository (GitHub Advisory).

The vulnerability stems from two specific scenarios on Windows systems. First, when using shell=True for git commands, the Windows cmd.exe shell process performs the path search without proper restrictions. Second, when running hook scripts, GitPython uses bash.exe without preventing it from being found in the current directory. The issue has been assigned a CVSS v3.1 score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-426 (Untrusted Search Path) (NVD, GitHub Advisory).

The vulnerability can lead to arbitrary code execution under specific circumstances. The most significant impact is in applications that set Git.USE_SHELL = True, which makes them vulnerable to arbitrary code execution from a malicious repository. Even running the application from a trusted directory does not mitigate this risk. Additionally, the bash.exe execution vulnerability for hooks cannot be easily mitigated without patching (GitHub Advisory).

The vulnerability has been patched in GitPython version 3.1.41. For unpatched versions, applications can partially mitigate the risk by avoiding the use of shell=True when running git commands. However, there is no straightforward way to prevent the bash.exe execution vulnerability for hooks without updating to the patched version (GitHub Advisory).