SB2026061946 - openEuler 24.03 LTS SP3 update for python-GitPython
Published: June 19, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) OS Command Injection (CVE-ID: CVE-2026-42215)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to command injection in Repo.clone_from(), Remote.fetch(), Remote.pull(), and Remote.push() when processing attacker-controlled kwargs that are normalized into unsafe Git options. A remote user can supply crafted upload_pack or receive_pack values to execute arbitrary code.
The issue occurs because underscore-form kwargs bypass the unsafe-option check before being converted into dangerous command-line flags, and it does not require a malicious repository.
2) Path traversal (CVE-ID: CVE-2026-44243)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to write, overwrite, move, or delete files outside the repository's .git directory.
The vulnerability exists due to path traversal in GitPython reference APIs when processing application-controlled reference paths in reference creation, rename, and delete operations. A local user can supply a crafted reference path to write, overwrite, move, or delete files outside the repository's .git directory.
Exploitation requires the ability to influence reference names supplied by the consuming application.
3) Input validation error (CVE-ID: CVE-2026-44244)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to improper input validation in GitConfigParser.set_value() when writing user-supplied configuration values to .git/config. A local user can inject newline characters to create a malicious core.hooksPath setting and execute arbitrary code.
Any Git operation that invokes hooks, such as commit, merge, or checkout, may trigger execution from the attacker-controlled path. In shared repositories, the injected configuration can persist and affect subsequent Git operations by other users.
Remediation
Install update from vendor's website.