CVE-2024-40644
published 2024-07-18CVE-2024-40644: gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. `gix-path` can be tricked into running another `git.exe` placed in an untrusted…
PriorityP434medium6.8CVSS 3.1
AVLACLPRLUIRSUCHIHAL
EPSS
0.21%
11.5th percentile
gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. `gix-path` can be tricked into running another `git.exe` placed in an untrusted location by a limited user account on Windows systems. Windows permits limited user accounts without administrative privileges to create new directories in the root of the system drive. While `gix-path` first looks for `git` using a `PATH` search, in version 0.10.8 it also has a fallback strategy on Windows of checking two hard-coded paths intended to be the 64-bit and 32-bit Program Files directories. Existing functions, as well as the newly introduced `exe_invocation` function, were updated to make use of these alternative locations. This causes facilities in `gix_path::env` to directly execute `git.exe` in those locations, as well as to return its path or whatever configuration it reports to callers who rely on it. Although unusual setups where the system drive is not `C:`, or even where Program Files directories have non-default names, are technically possible, the main problem arises on a 32-bit Windows system. Such a system has no `C:\Program Files (x86)` directory. A limited user on a 32-bit Windows system can therefore create the `C:\Program Files (x86)` directory and populate it with arbitrary contents. Once a payload has been placed at the second of the two hard-coded paths in this way, other user accounts including administrators will execute it if they run an application that uses `gix-path` and do not have `git` in a `PATH` directory. (While having `git` found in a `PATH` search prevents exploitation, merely having it installed in the default location under the real `C:\Program Files` directory does not. This is because the first hard-coded path's `mingw64` component assumes a 64-bit installation.). Only Windows is affected. Exploitation is unlikely except on a 32-bit system. In particular, running a 32-bit build on a 64-bit system is not a risk factor. Furthermore, the attacker must have a user accoun
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| byron | gitoxide | < 0.10.9 | 0.10.9 |
| debian | rust-gix-path | — | — |
CVSS provenance
nvdv3.16.8MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
vendor_debian6.8LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
gix-path can use a fake program files location
ghsa·2024-07-18
CVE-2024-40644 [HIGH] CWE-427 gix-path can use a fake program files location
gix-path can use a fake program files location
### Summary
When looking for Git for Windows so it can run it to report its paths, `gix-path` can be tricked into running another `git.exe` placed in an untrusted location by a limited user account.
### Details
Windows permits limited user accounts without administrative privileges to create new directories in the root of the system drive. While `gix-path` first looks for `git` using a `PATH` search, in version 0.10.8 it also has a fallback strategy on Windows of checking two hard-coded paths intended to be the 64-bit and 32-bit Program Files directories:
https://github.com/Byron/gitoxide/blob/6cd8b4665bb7582f744c3244abaef812be39ec35/gix-path/src/env/git.rs#L9-L14
Existing functions, as well as the newly introduced `exe_invocation` funct
OSV
gix-path can use a fake program files location
osv·2024-07-18
CVE-2024-40644 gix-path can use a fake program files location
gix-path can use a fake program files location
### Summary
When looking for Git for Windows so it can run it to report its paths, `gix-path` can be tricked into running another `git.exe` placed in an untrusted location by a limited user account.
### Details
Windows permits limited user accounts without administrative privileges to create new directories in the root of the system drive. While `gix-path` first looks for `git` using a `PATH` search, in version 0.10.8 it also has a fallback strategy on Windows of checking [two hard-coded paths](https://github.com/Byron/gitoxide/blob/6cd8b4665bb7582f744c3244abaef812be39ec35/gix-path/src/env/git.rs#L9-L14) intended to be the 64-bit and 32-bit Program Files directories:
```rust
/// Other places to find Git in.
#[cfg(windows)]
pub(super) stat
OSV
gix-path can use a fake program files location
osv·2024-07-18
CVE-2024-40644 [HIGH] gix-path can use a fake program files location
gix-path can use a fake program files location
### Summary
When looking for Git for Windows so it can run it to report its paths, `gix-path` can be tricked into running another `git.exe` placed in an untrusted location by a limited user account.
### Details
Windows permits limited user accounts without administrative privileges to create new directories in the root of the system drive. While `gix-path` first looks for `git` using a `PATH` search, in version 0.10.8 it also has a fallback strategy on Windows of checking two hard-coded paths intended to be the 64-bit and 32-bit Program Files directories:
https://github.com/Byron/gitoxide/blob/6cd8b4665bb7582f744c3244abaef812be39ec35/gix-path/src/env/git.rs#L9-L14
Existing functions, as well as the newly introduced `exe_invocation` funct
Debian
CVE-2024-40644: rust-gix-path - gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. `gix-p...
vendor_debian·2024·CVSS 6.8
CVE-2024-40644 [MEDIUM] CVE-2024-40644: rust-gix-path - gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. `gix-p...
gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. `gix-path` can be tricked into running another `git.exe` placed in an untrusted location by a limited user account on Windows systems. Windows permits limited user accounts without administrative privileges to create new directories in the root of the system drive. While `gix-path` first looks for `git` using a `PATH` search, in version 0.10.8 it also has a fallback strategy on Windows of checking two hard-coded paths intended to be the 64-bit and 32-bit Program Files directories. Existing functions, as well as the newly introduced `exe_invocation` function, were updated to make use of these alternative locations. This causes facilities in `gix_path::env` to directly execute `git.exe` in those locations, as well as t
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/Byron/gitoxide/blob/6cd8b4665bb7582f744c3244abaef812be39ec35/gix-path/src/env/git.rs#L9-L14https://github.com/Byron/gitoxide/commit/15235bf7968042da0493d431bbc955d6f9f54188https://github.com/Byron/gitoxide/security/advisories/GHSA-mgvv-9p9g-3jv4https://github.com/Byron/gitoxide/blob/6cd8b4665bb7582f744c3244abaef812be39ec35/gix-path/src/env/git.rs#L9-L14https://github.com/Byron/gitoxide/commit/15235bf7968042da0493d431bbc955d6f9f54188https://github.com/Byron/gitoxide/security/advisories/GHSA-mgvv-9p9g-3jv4
2024-07-18
Published