CVE-2024-35186

EUVD-2024-1506

23.05.2024, 09:15

gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads to a major loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well. This vulnerability has been patched in version(s) 0.36.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 62%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
byron	gitoxide	𝑥 < 0.36.0	ADP

Debian Releases

Debian Product

Codename

rust-gix-fs

forky	0.12.1-1 fixed
sid	0.12.1-1 fixed
trixie	0.12.1-1 fixed

rust-gix-index

forky	0.37.0-2 fixed
sid	0.37.0-2 fixed
trixie	0.37.0-1 fixed

rust-gix-worktree

forky	0.38.0-1 fixed
sid	0.38.0-1 fixed
trixie	0.38.0-1 fixed

Common Weakness Enumeration

CWE-23 - Relative Path Traversal
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

References

https://github.com/Byron/gitoxide/security/advisories/GHSA-7w47-3wg8-547c