SB20260619118 - Ubuntu update for python-git
Published: June 19, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Path traversal (CVE-ID: CVE-2023-41040)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when reading from the ".git" directory. A remote attacker can prepare a specially crafted ".git" file with directory traversal characters in file names and force the application to read these files from the local system. This can result in checking for existence of a specific files on the system or perform a denial of service (DoS) attack.
2) OS Command Injection (CVE-ID: CVE-2026-42215)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to command injection in Repo.clone_from(), Remote.fetch(), Remote.pull(), and Remote.push() when processing attacker-controlled kwargs that are normalized into unsafe Git options. A remote user can supply crafted upload_pack or receive_pack values to execute arbitrary code.
The issue occurs because underscore-form kwargs bypass the unsafe-option check before being converted into dangerous command-line flags, and it does not require a malicious repository.
3) Input validation error (CVE-ID: CVE-2026-42284)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in _clone() and Submodule.update() when processing user-supplied multi_options. A remote attacker can supply a specially crafted option string that is transformed by shlex.split to inject unsafe git clone options and execute arbitrary code.
The issue occurs because validation is performed on the original option list before the transformed arguments are passed to git, allowing embedded --config core.hooksPath settings to reach git during clone operations.
4) Path traversal (CVE-ID: CVE-2026-44243)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to write, overwrite, move, or delete files outside the repository's .git directory.
The vulnerability exists due to path traversal in GitPython reference APIs when processing application-controlled reference paths in reference creation, rename, and delete operations. A local user can supply a crafted reference path to write, overwrite, move, or delete files outside the repository's .git directory.
Exploitation requires the ability to influence reference names supplied by the consuming application.
5) Input validation error (CVE-ID: CVE-2026-44244)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to improper input validation in GitConfigParser.set_value() when writing user-supplied configuration values to .git/config. A local user can inject newline characters to create a malicious core.hooksPath setting and execute arbitrary code.
Any Git operation that invokes hooks, such as commit, merge, or checkout, may trigger execution from the attacker-controlled path. In shared repositories, the injected configuration can persist and affect subsequent Git operations by other users.
Remediation
Install update from vendor's website.