cbcvebase.
CVE-2024-32884
published 2024-04-26

CVE-2024-32884: gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would…

PriorityP340medium6.4CVSS 3.1
AVNACHPRLUINSUCHILAL
EPSS
0.51%
39.8th percentile
gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. This issue has been patched in versions 0.35.0, 0.42.0 and 0.62.0.

Affected

10 ranges
VendorProductVersion rangeFixed in
byrongitoxide< 0.42.00.42.0
byrongitoxide< 0.620.62
byrongitoxide< 0.350.35
byrongitoxide>= 0 < 0.350.35
gitoxidelabsgix-transport< 0.36.10.36.1
msrcazl3_rust_1.75.0-14_on_azure_linux_3.0
msrcazl3_rust_1.75.0-9_on_azure_linux_3.0
msrcazl3_rust_1.86.0-1_on_azure_linux_3.0
msrccbl2_rust_1.72.0-10_on_cbl_mariner_2.0
msrccbl2_rust_1.72.0-8_on_cbl_mariner_2.0

CVSS provenance

nvdv3.16.4MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
ghsa6.4MEDIUM
osv6.4MEDIUM
vendor_msrc6.4MEDIUM
vendor_redhat4.1MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.