CVE-2024-32884

EUVD-2024-1168

26.04.2024, 18:15

gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. This issue has been patched in versions 0.35.0, 0.42.0 and 0.62.0.

Command Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.4 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 20%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
byron	gitoxide	𝑥 < 0.35.0	ADP
byron	gitoxide	𝑥 < 0.62.0	ADP
byron	gitoxide	𝑥 < 0.42.0	ADP

Common Weakness Enumeration

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References

https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh

https://rustsec.org/advisories/RUSTSEC-2024-0335.html

https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh

https://rustsec.org/advisories/RUSTSEC-2024-0335.html