CVE-2024-35197 — Improper Handling of Windows Device Names in Gitoxide

CWE-67 — Improper Handling of Windows Device Names CWE-150 — Improper Neutralization of Escape, Meta, or Control Sequences8 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.0%

top 86.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Byron Gitoxide Debian Rust-gix-index Debian Rust-gix-ref +1 more

Timeline

PublishedMay 23

Latest updateAug 22

Description

gitoxide is a pure Rust implementation of Git. On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances. If Windows is not used, or untrusted repositories are not …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages5 packages

▶CVEListV5byron/gitoxide< 0.36.0

▶crates.iobyron/gitoxide< 0.36.0+1

▶debiandebian/rust-gix-ref

▶debiandebian/rust-gix-index

▶debiandebian/rust-gix-worktree

🔴Vulnerability Details

OSV

gitoxide-core does not neutralize special characters for terminals↗2024-08-22

▶

OSV

gitoxide-core does not neutralize special characters for terminals↗2024-08-22

▶

GHSA

gitoxide-core does not neutralize special characters for terminals↗2024-08-22

▶

OSV

gix refs and paths with reserved Windows device names access the devices↗2024-05-22

▶

OSV

Refs and paths with reserved Windows device names access the devices↗2024-05-22

▶

📋Vendor Advisories

Debian

CVE-2024-35197: rust-gix-index - gitoxide is a pure Rust implementation of Git. On Windows, fetching refs that cl...↗2024

▶