CVE-2024-45305Use of Incorrectly-Resolved Name or Reference in Gitoxide

CWE-706Use of Incorrectly-Resolved Name or ReferenceCWE-41Improper Resolution of Path Equivalence9 documents4 sources
Severity
2.5LOWNVD
EPSS
0.0%
top 90.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Byron GitoxideDebian Rust-gix-path
Timeline
PublishedSep 2
Latest updateSep 6

Description

gix-path is a crate of the gitoxide project dealing with git paths and their conversions. `gix-path` executes `git` to find the path of a configuration file that belongs to the `git` installation itself, but mistakenly treats the local repository's configuration as system-wide if no higher scoped configuration is found. In rare cases, this causes a less trusted repository to be treated as more trusted, or leaks sensitive information from one repository to another, such as sending credentials to

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 1.0 | Impact: 1.4

Affected Packages2 packages

debiandebian/rust-gix-path< rust-gix-path 0.10.11-1 (forky)
CVEListV5byron/gitoxide< 0.10.10

🔴Vulnerability Details

7
GHSA
gix-path improperly resolves configuration path reported by Git2024-09-06
OSV
gix-path improperly resolves configuration path reported by Git2024-09-06
OSV
gix-path improperly resolves configuration path reported by Git2024-09-06
OSV
gix-path uses local config across repos when it is the highest scope2024-09-03
GHSA
gix-path uses local config across repos when it is the highest scope2024-09-03

📋Vendor Advisories

1
Debian
CVE-2024-45305: rust-gix-path - gix-path is a crate of the gitoxide project dealing with git paths and their con...2024