{"id":"USN-8303-1","summary":"python-git vulnerabilities","details":"Santos Gallegos discovered that GitPython did not properly validate\npaths when resolving certain Git references. An attacker could possibly\nuse this issue to cause files outside the .git directory to be accessed,\nleading to a denial of service. This issue only affected Ubuntu 14.04\nLTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu\n22.04 LTS. (CVE-2023-41040)\n\nWes Ring discovered that GitPython did not properly block certain unsafe\nGit options when they were provided as Python keyword arguments. An\nattacker could possibly use this issue to cause arbitrary command\nexecution. (CVE-2026-42215)\n\nIt was discovered that GitPython did not properly validate clone options\nbefore processing them. An attacker could possibly use this issue to\ninject unsafe Git configuration, leading to arbitrary command execution\nthrough Git hooks. This issue only affected Ubuntu 20.04 LTS, Ubuntu\n22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS. (CVE-2026-42284)\n\nIt was discovered that GitPython did not properly validate reference\npaths during reference operations. An attacker could possibly use this\nissue to write, overwrite, move, or delete files outside the repository.\n(CVE-2026-44243)\n\nDan Aridor discovered that GitPython did not properly validate\nconfiguration values before writing them to Git configuration files. An\nattacker could possibly use this issue to inject unsafe Git\nconfiguration, leading to arbitrary command execution through Git hooks.\n(CVE-2026-44244)","modified":"2026-05-27T10:32:49.665850585Z","published":"2026-05-26T21:52:45Z","related":["UBUNTU-CVE-2023-41040","UBUNTU-CVE-2026-42215","UBUNTU-CVE-2026-42284","UBUNTU-CVE-2026-44243","UBUNTU-CVE-2026-44244"],"upstream":["CVE-2023-41040","CVE-2026-42215","CVE-2026-42284","CVE-2026-44243","CVE-2026-44244","UBUNTU-CVE-2023-41040","UBUNTU-CVE-2026-42215","UBUNTU-CVE-2026-42284","UBUNTU-CVE-2026-44243","UBUNTU-CVE-2026-44244"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8303-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-41040"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-42215"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-42284"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-44243"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-44244"}],"affected":[{"package":{"name":"python-git","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/python-git?arch=source&distro=esm-infra-legacy%2Ftrusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.3.2~RC1-3ubuntu0.1~esm3"}]}],"versions":["0.3.2~RC1-2","0.3.2~RC1-3","0.3.2~RC1-3ubuntu0.1~esm1","0.3.2~RC1-3ubuntu0.1~esm2"],"ecosystem_specific":{"binaries":[{"binary_version":"0.3.2~RC1-3ubuntu0.1~esm3","binary_name":"python-git"}],"availability":"Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8303-1.json","cves_map":{"ecosystem":"Ubuntu:Pro:14.04:LTS","cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-41040"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-42215"},{"severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P","type":"CVSS_V4"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-44243"},{"severity":[{"score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-44244"}]}}},{"package":{"name":"python-git","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/python-git?arch=source&distro=esm-apps-legacy%2Fxenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.0.1+git137-gc8b8379-2.1ubuntu0.1~esm4"}]}],"versions":["1.0.1+git137-gc8b8379-1","1.0.1+git137-gc8b8379-2","1.0.1+git137-gc8b8379-2.1","1.0.1+git137-gc8b8379-2.1ubuntu0.1~esm1","1.0.1+git137-gc8b8379-2.1ubuntu0.1~esm2"],"ecosystem_specific":{"binaries":[{"binary_version":"1.0.1+git137-gc8b8379-2.1ubuntu0.1~esm4","binary_name":"python-git"},{"binary_version":"1.0.1+git137-gc8b8379-2.1ubuntu0.1~esm4","binary_name":"python3-git"}],"availability":"Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8303-1.json","cves_map":{"ecosystem":"Ubuntu:Pro:16.04:LTS","cves":[{"severity":[{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2023-41040"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-42215"},{"severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P","type":"CVSS_V4"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-44243"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-44244"}]}}},{"package":{"name":"python-git","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/python-git?arch=source&distro=esm-apps%2Fbionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.1.8-1ubuntu0.1~esm4"}]}],"versions":["2.1.5-1","2.1.6-1","2.1.7-1","2.1.8-1","2.1.8-1ubuntu0.1~esm1","2.1.8-1ubuntu0.1~esm2"],"ecosystem_specific":{"binaries":[{"binary_version":"2.1.8-1ubuntu0.1~esm4","binary_name":"python-git"},{"binary_version":"2.1.8-1ubuntu0.1~esm4","binary_name":"python3-git"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8303-1.json","cves_map":{"ecosystem":"Ubuntu:Pro:18.04:LTS","cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L","type":"CVSS_V3"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2023-41040"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-42215"},{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-44243"},{"severity":[{"score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-44244"}]}}},{"package":{"name":"python-git","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/python-git?arch=source&distro=esm-apps%2Ffocal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.0.7-1ubuntu0.1~esm4"}]}],"versions":["2.1.11-1","3.0.4-1","3.0.5-1","3.0.7-1","3.0.7-1ubuntu0.1~esm1","3.0.7-1ubuntu0.1~esm2"],"ecosystem_specific":{"binaries":[{"binary_version":"3.0.7-1ubuntu0.1~esm4","binary_name":"python3-git"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8303-1.json","cves_map":{"ecosystem":"Ubuntu:Pro:20.04:LTS","cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2023-41040"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-42215"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-42284"},{"severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P","type":"CVSS_V4"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-44243"},{"severity":[{"score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-44244"}]}}},{"package":{"name":"python-git","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/python-git?arch=source&distro=esm-apps%2Fjammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1.24-1ubuntu0.1~esm3"}]}],"versions":["3.1.14-1","3.1.23-1","3.1.24-1","3.1.24-1ubuntu0.1~esm1","3.1.24-1ubuntu0.1~esm2"],"ecosystem_specific":{"binaries":[{"binary_version":"3.1.24-1ubuntu0.1~esm3","binary_name":"python3-git"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8303-1.json","cves_map":{"ecosystem":"Ubuntu:Pro:22.04:LTS","cves":[{"severity":[{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2023-41040"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-42215"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-42284"},{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H","type":"CVSS_V3"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-44243"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-44244"}]}}},{"package":{"name":"python-git","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/python-git?arch=source&distro=esm-apps%2Fnoble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1.37-3ubuntu0.1~esm2"}]}],"versions":["3.1.30-1","3.1.37-1","3.1.37-3"],"ecosystem_specific":{"binaries":[{"binary_version":"3.1.37-3ubuntu0.1~esm2","binary_name":"python3-git"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8303-1.json","cves_map":{"ecosystem":"Ubuntu:Pro:24.04:LTS","cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-42215"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-42284"},{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-44243"},{"severity":[{"score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-44244"}]}}},{"package":{"name":"python-git","ecosystem":"Ubuntu:Pro:26.04:LTS","purl":"pkg:deb/ubuntu/python-git?arch=source&distro=esm-apps%2Fresolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1.46-1ubuntu0.1~esm1"}]}],"versions":["3.1.44-1","3.1.45-1","3.1.46-1"],"ecosystem_specific":{"binaries":[{"binary_version":"3.1.46-1ubuntu0.1~esm1","binary_name":"python3-git"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8303-1.json","cves_map":{"ecosystem":"Ubuntu:Pro:26.04:LTS","cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-42215"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-42284"},{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H","type":"CVSS_V3"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-44243"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-44244"}]}}}],"schema_version":"1.7.5"}