All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.
{ "binaries": [ { "binary_name": "python-git", "binary_version": "1.0.1+git137-gc8b8379-2.1ubuntu0.1~esm1" }, { "binary_name": "python-git-doc", "binary_version": "1.0.1+git137-gc8b8379-2.1ubuntu0.1~esm1" }, { "binary_name": "python3-git", "binary_version": "1.0.1+git137-gc8b8379-2.1ubuntu0.1~esm1" } ], "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro", "ubuntu_priority": "medium" }
{ "binaries": [ { "binary_name": "python-git", "binary_version": "2.1.8-1ubuntu0.1~esm1" }, { "binary_name": "python-git-doc", "binary_version": "2.1.8-1ubuntu0.1~esm1" }, { "binary_name": "python3-git", "binary_version": "2.1.8-1ubuntu0.1~esm1" } ], "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro", "ubuntu_priority": "medium" }