Alpine: multiple py3-gitpython packages: security update to 3.1.35-r0 (deprecated)

medium Tenable Self-Hosted Container Security Plugin ID 401382

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- GitPython is a python library used to interact with Git repositories. In order to resolve some git
references, GitPython reads files from the `.git` directory, in some places the name of the file being
read is provided by the user, GitPython doesn't check if this file is located outside the `.git`
directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is
present in https://github.com/gitpython-
developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175. That
code joins the base directory with a user given string without checking if the final path is located
outside the base directory. This vulnerability cannot be used to read the contents of files but could in
theory be used to trigger a denial of service for the program. This issue has been addressed in version
3.1.37. (CVE-2023-41040)

See Also

https://git.alpinelinux.org/aports/commit/?id=2440b69b1dcd7edbff424bf73034042c7400e8d1

https://git.alpinelinux.org/aports/commit/?id=7e13893e30b7ea44b01317d552820b32d4219ef4

Plugin Details

Severity: Medium

ID: 401382

Version: Revision 1.23

Type: Local

Published: 10/6/2023

Updated: 9/23/2024

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.1

Percentile: 7.51

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS Score Source: CVE-2023-41040

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/6/2023

Vulnerability Publication Date: 8/26/2023

Reference Information

CVE: CVE-2023-41040