CVE-2024-45405Improper Resolution of Path Equivalence in Gitoxide

CWE-41Improper Resolution of Path EquivalenceCWE-427Uncontrolled Search Path Element6 documents4 sources
Severity
6.0MEDIUMNVD
EPSS
0.1%
top 78.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Byron GitoxideDebian Rust-gix-path
Timeline
PublishedSep 6

Description

`gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolves paths containing unusual or non-ASCII characters, in rare cases enabling a local attacker to inject configuration leading to code execution. Version 0.10.11 contains a patch for the issue. In `gix_path::env`, the und

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:NExploitability: 0.8 | Impact: 5.2

Affected Packages2 packages

debiandebian/rust-gix-path< rust-gix-path 0.10.11-1 (forky)
CVEListV5byron/gitoxide< 0.10.11

🔴Vulnerability Details

4
GHSA
gix-path improperly resolves configuration path reported by Git2024-09-06
OSV
gix-path improperly resolves configuration path reported by Git2024-09-06
OSV
CVE-2024-45405: `gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions2024-09-06
OSV
gix-path improperly resolves configuration path reported by Git2024-09-06

📋Vendor Advisories

1
Debian
CVE-2024-45405: rust-gix-path - `gix-path` is a crate of the `gitoxide` project (an implementation of `git` writ...2024