{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/newline-injection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitPython (\u003c= 3.1.48)"],"_cs_severities":["high"],"_cs_tags":["newline injection","remote code execution","gitpython","config poisoning"],"_cs_type":"advisory","_cs_vendors":["gitpython"],"content_html":"\u003cp\u003eA newline injection vulnerability exists in GitPython\u0026rsquo;s \u003ccode\u003econfig_writer().set_value()\u003c/code\u003e function, allowing attackers to achieve remote code execution. The vulnerability occurs because \u003ccode\u003eset_value()\u003c/code\u003e does not validate for newlines before passing values to Python\u0026rsquo;s \u003ccode\u003econfigparser\u003c/code\u003e. GitPython\u0026rsquo;s writer converts embedded newlines into continuation lines, which Git still interprets as valid configuration. An attacker can inject a \u003ccode\u003ecore.hooksPath\u003c/code\u003e configuration, causing Git to execute scripts from an attacker-controlled path whenever hooks are invoked. Discovered during an audit of MLRun\u0026rsquo;s \u003ccode\u003eproject.push()\u003c/code\u003e method, the vulnerability is triggered when \u003ccode\u003eauthor_name\u003c/code\u003e or \u003ccode\u003eauthor_email\u003c/code\u003e are passed to \u003ccode\u003econfig_writer().set_value()\u003c/code\u003e without sanitization. This affects GitPython versions up to 3.1.48, git 2.39+.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious input string containing a newline character followed by a \u003ccode\u003e[core]\u003c/code\u003e section and \u003ccode\u003ehooksPath\u003c/code\u003e setting.\u003c/li\u003e\n\u003cli\u003eThe malicious string is passed as either the \u003ccode\u003eauthor_name\u003c/code\u003e or \u003ccode\u003eauthor_email\u003c/code\u003e parameter to an application using GitPython.\u003c/li\u003e\n\u003cli\u003eThe application calls \u003ccode\u003econfig_writer().set_value()\u003c/code\u003e with the attacker-controlled input, writing the malicious configuration to the \u003ccode\u003e.git/config\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eGitPython converts the embedded newline into an indented continuation line but still writes it to the config.\u003c/li\u003e\n\u003cli\u003eGit interprets the injected \u003ccode\u003e[core]\u003c/code\u003e stanza as a valid section header, thus setting the \u003ccode\u003ecore.hooksPath\u003c/code\u003e to the attacker-specified path.\u003c/li\u003e\n\u003cli\u003eA Git operation that invokes hooks (e.g., commit, merge, checkout) is triggered.\u003c/li\u003e\n\u003cli\u003eGit executes the scripts located in the attacker-controlled \u003ccode\u003ehooksPath\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to persistent repository configuration poisoning. In multi-user environments, one user can poison a shared repository\u0026rsquo;s \u003ccode\u003e.git/config\u003c/code\u003e, causing the attacker\u0026rsquo;s hooks to run during subsequent Git operations by other users. The impact on single-user deployments depends on whether the application automatically invokes Git hooks. This vulnerability, now identified as CVE-2026-44244, can lead to privilege escalation and arbitrary code execution.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Git config hooksPath modification\u003c/code\u003e to identify attempts to modify the \u003ccode\u003ecore.hooksPath\u003c/code\u003e setting in the \u003ccode\u003e.git/config\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eAudit all calls to \u003ccode\u003econfig_writer().set_value()\u003c/code\u003e in your codebase, especially where user-supplied input is used, as suggested in the overview.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of GitPython that raises an error on CR, LF, or NUL in config values, as described in the remediation section.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of scripts from unusual or unexpected paths specified in the \u003ccode\u003ecore.hooksPath\u003c/code\u003e using the rule \u003ccode\u003eSuspicious Git Hook Execution\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-gitpython-rce/","summary":"A newline injection vulnerability in GitPython's `config_writer().set_value()` function enables remote code execution by manipulating the `core.hooksPath` Git configuration.","title":"GitPython config_writer().set_value() Newline Injection RCE","url":"https://feed.craftedsignal.io/briefs/2024-01-gitpython-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Newline Injection","version":"https://jsonfeed.org/version/1.1"}