CVE-2024-35186
published 2024-05-23CVE-2024-35186: gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A…
PriorityP347high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.82%
52.5th percentile
gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads to a major loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well. This vulnerability has been patched in version(s) 0.36.0.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| byron | gitoxide | < 0.36.0 | 0.36.0 |
| byron | gitoxide | >= 0 < 0.36.0 | 0.36.0 |
| debian | rust-gix-fs | < rust-gix-fs 0.11.3-1 (forky) | rust-gix-fs 0.11.3-1 (forky) |
| debian | rust-gix-index | < rust-gix-fs 0.11.3-1 (forky) | rust-gix-fs 0.11.3-1 (forky) |
| debian | rust-gix-worktree | < rust-gix-fs 0.11.3-1 (forky) | rust-gix-fs 0.11.3-1 (forky) |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-35186: gitoxide is a pure Rust implementation of Git
osv·2024-05-23·CVSS 8.8
CVE-2024-35186 [HIGH] CVE-2024-35186: gitoxide is a pure Rust implementation of Git
gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads to a major loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well. This vulnerability has been patched in version(s) 0.36.0.
GHSA
gix traversal outside working tree enables arbitrary code execution
ghsa·2024-05-22
CVE-2024-35186 [HIGH] CWE-22 gix traversal outside working tree enables arbitrary code execution
gix traversal outside working tree enables arbitrary code execution
### Summary
During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application.
### Details
Although `gix-worktree-state` checks for collisions with existing files, it does not itself check if a path is really in the working tree when performing a checkout, nor do the path checks in `gix-fs` and `gix-worktree` prevent this. Cloning an untrusted repository containing specially crafted tree or blob names will create new files outside the repository, or inside the repository or a submodule's `.git` directory. The simplest cases are:
- A tree named `..` to traverse upward. This facilitates arbitr
OSV
Traversal outside working tree enables arbitrary code execution
osv·2024-05-22
CVE-2024-35186 Traversal outside working tree enables arbitrary code execution
Traversal outside working tree enables arbitrary code execution
### Summary
During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application.
### Details
Although `gix-worktree-state` checks for collisions with existing files, it does not itself check if a path is really in the working tree when performing a checkout, nor do the path checks in `gix-fs` and `gix-worktree` prevent this. Cloning an untrusted repository containing specially crafted tree or blob names will create new files outside the repository, or inside the repository or a submodule's `.git` directory. The simplest cases are:
- A tree named `..` to traverse upward. This facilitates arbitrary
OSV
gix traversal outside working tree enables arbitrary code execution
osv·2024-05-22
CVE-2024-35186 [HIGH] gix traversal outside working tree enables arbitrary code execution
gix traversal outside working tree enables arbitrary code execution
### Summary
During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application.
### Details
Although `gix-worktree-state` checks for collisions with existing files, it does not itself check if a path is really in the working tree when performing a checkout, nor do the path checks in `gix-fs` and `gix-worktree` prevent this. Cloning an untrusted repository containing specially crafted tree or blob names will create new files outside the repository, or inside the repository or a submodule's `.git` directory. The simplest cases are:
- A tree named `..` to traverse upward. This facilitates arbitr
Debian
CVE-2024-35186: rust-gix-fs - gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-st...
vendor_debian·2024·CVSS 8.8
CVE-2024-35186 [HIGH] CVE-2024-35186: rust-gix-fs - gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-st...
gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads to a major loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well. This vulnerability has been patched in version(s) 0.36.0.
Scope: local
forky: resolved (fixed in 0.11.3-1)
sid: resolved (fixed in 0.11.3-1)
trixie: resolved (fixed in 0.11.3-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-05-23
Published