CVE-2024-35186 HIGH

CVE-2024-35186: gix traversal outside working tree enables arbitrary code execution

Vendor Byron

Product gitoxide

Weakness CWE-23

Published May 23, 2024

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads to a major loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well. This vulnerability has been patched in version(s) 0.36.0.

Key dates

02Disclosure timeline

May 23, 2024 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-35186 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/23.html

Related vulnerabilities

CVE-2024-35186: gix traversal outside working tree enables arbitrary code execution

01Description

02Disclosure timeline

03References

04Related CVE