CVE-2023-53158OS Command Injection in Gix-transport

CWE-78OS Command InjectionCWE-88Argument Injection7 documents5 sources
Severity
4.1MEDIUMNVD
EPSS
0.0%
top 93.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Gitoxidelabs Gix-transportMsrc Cbl2 Rust 1.72.0-10 ON CBL Mariner 2.0
Timeline
PublishedJul 28

Description

The gix-transport crate before 0.36.1 for Rust allows command execution via the "gix clone 'ssh://-oProxyCommand=open$IFS" substring. NOTE: this was discovered before CVE-2024-32884, a similar vulnerability (involving a username field) that is more difficult to exploit.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 1.0 | Impact: 2.7

Affected Packages3 packages

CVEListV5gitoxidelabs/gix-transport< 0.36.1
crates.iogitoxidelabs/gix-transport0.0.0-00.36.1+1

🔴Vulnerability Details

4
OSV
CVE-2023-53158: The gix-transport crate before 02025-07-28
OSV
gix-transport code execution vulnerability2023-09-25
GHSA
gix-transport code execution vulnerability2023-09-25
OSV
gix-transport code execution vulnerability2023-09-23

📋Vendor Advisories

2
Red Hat
gix-transport: gix Command Execution Vulnerability2025-07-28
Microsoft
The gix-transport crate before 0.36.1 for Rust allows command execution via the "gix clone 'ssh://-oProxyCommand=open$IFS" substring. NOTE: this was discovered before CVE-2024-32884, a similar vulnera2025-07-08