cbcvebase.
CVE-2024-35186
published 2024-05-23

CVE-2024-35186: gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A…

PriorityP347high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.82%
52.5th percentile
gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads to a major loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well. This vulnerability has been patched in version(s) 0.36.0.

Affected

5 ranges
VendorProductVersion rangeFixed in
byrongitoxide< 0.36.00.36.0
byrongitoxide>= 0 < 0.36.00.36.0
debianrust-gix-fs< rust-gix-fs 0.11.3-1 (forky)rust-gix-fs 0.11.3-1 (forky)
debianrust-gix-index< rust-gix-fs 0.11.3-1 (forky)rust-gix-fs 0.11.3-1 (forky)
debianrust-gix-worktree< rust-gix-fs 0.11.3-1 (forky)rust-gix-fs 0.11.3-1 (forky)

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.