SCA: security update for gitpython (GHSA-wfm5-v35h-vwf4)

high Tenable Self-Hosted Container Security Plugin ID 421580

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- GitPython is a python library used to interact with Git repositories. When resolving a program,
Python/Windows look for the current working directory, and after that the PATH environment. GitPython
defaults to use the `git` command, if a user runs GitPython from a repo has a `git.exe` or `git`
executable, that program will be run instead of the one in the user's `PATH`. This is more of a problem on
how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But probably
people using GitPython usually run it from the CWD of a repo. An attacker can trick a user to download a
repository with a malicious `git` executable, if the user runs/imports GitPython from that directory, it
allows the attacker to run any arbitrary commands. There is no fix currently available for windows users,
however there are a few mitigations. 1: Default to an absolute path for the git program on Windows, like
`C:\\Program Files\\Git\\cmd\\git.EXE` (default git path installation). 2: Require users to set the
`GIT_PYTHON_GIT_EXECUTABLE` environment variable on Windows systems. 3: Make this problem prominent in the
documentation and advise users to never run GitPython from an untrusted repo, or set the
`GIT_PYTHON_GIT_EXECUTABLE` env var to an absolute path. 4: Resolve the executable manually by only
looking into the `PATH` environment variable. (CVE-2023-40590)

See Also

https://github.com/advisories/GHSA-wfm5-v35h-vwf4

Plugin Details

Severity: High

ID: 421580

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 3/28/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-40590

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.6

Threat Score: 7.3

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/29/2023

Vulnerability Publication Date: 8/28/2023

Reference Information

CVE: CVE-2023-40590

cwe: CWE-426