CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45405 – gix-path improperly resolves configuration path reported by Git
https://notcve.org/view.php?id=CVE-2024-45405
`gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolves paths containing unusual or non-ASCII characters, in rare cases enabling a local attacker to inject configuration leading to code execution. Version 0.10.11 contains a patch for the issue. In `gix_path::env`, the underlying implementation of the `installation_config` and `installation_config_prefix` functions calls `git config -l --show-origin` to find the path of a file to treat as belonging to the `git` installation. Affected versions of `gix-path` do not pass `-z`/`--null` to cause `git` to report literal paths. Instead, to cover the occasional case that `git` outputs a quoted path, they attempt to parse the path by stripping the quotation marks. • https://github.com/Byron/gitoxide/blob/1cfe577d461293879e91538dbc4bbfe01722e1e8/gix-path/src/env/git/mod.rs#L138-L142 https://github.com/Byron/gitoxide/commit/650a1b5cf25e086197cc55a68525a411e1c28031 https://github.com/Byron/gitoxide/security/advisories/GHSA-m8rp-vv92-46c7 • CWE-41: Improper Resolution of Path Equivalence CWE-427: Uncontrolled Search Path Element •
CVSS: 2.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45305 – gix-path uses local config across repos when it is the highest scope
https://notcve.org/view.php?id=CVE-2024-45305
gix-path is a crate of the gitoxide project dealing with git paths and their conversions. `gix-path` executes `git` to find the path of a configuration file that belongs to the `git` installation itself, but mistakenly treats the local repository's configuration as system-wide if no higher scoped configuration is found. In rare cases, this causes a less trusted repository to be treated as more trusted, or leaks sensitive information from one repository to another, such as sending credentials to another repository's remote. In `gix_path::env`, the underlying implementation of the `installation_config` and `installation_config_prefix` functions calls `git config -l --show-origin` and parses the first line of the output to extract the path to the configuration file holding the configuration variable of highest scope. It is believed to be very difficult to exploit this vulnerability deliberately, due to the need either to anticipate a situation in which higher-scoped configuration variables would be absent, or to arrange for this to happen. • https://github.com/Byron/gitoxide/security/advisories/GHSA-v26r-4c9c-h3j6 https://git-scm.com/docs/git-config#SCOPES https://github.com/Byron/gitoxide/blob/12251eb052df30105538fa831e641eea557f13d8/gix-path/src/env/git/mod.rs#L112 https://github.com/Byron/gitoxide/blob/12251eb052df30105538fa831e641eea557f13d8/gix-path/src/env/git/mod.rs#L91 • CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVSS: 2.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43785 – gitoxide-core does not neutralize special characters for terminals
https://notcve.org/view.php?id=CVE-2024-43785
gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. gitoxide-core, which provides most underlying functionality of the gix and ein commands, does not neutralize newlines, backspaces, or control characters—including those that form ANSI escape sequences—that appear in a repository's paths, author and committer names, commit messages, or other metadata. Such text may be written as part of the output of a command, as well as appearing in error messages when an operation fails. This sometimes allows an untrusted repository to misrepresent its contents and to alter or concoct error messages. • https://github.com/Byron/gitoxide/security/advisories/GHSA-88g2-r9rw-g55h • CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-40644 – gitoxide's gix-path can use a fake program files location
https://notcve.org/view.php?id=CVE-2024-40644
gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. `gix-path` can be tricked into running another `git.exe` placed in an untrusted location by a limited user account on Windows systems. Windows permits limited user accounts without administrative privileges to create new directories in the root of the system drive. While `gix-path` first looks for `git` using a `PATH` search, in version 0.10.8 it also has a fallback strategy on Windows of checking two hard-coded paths intended to be the 64-bit and 32-bit Program Files directories. Existing functions, as well as the newly introduced `exe_invocation` function, were updated to make use of these alternative locations. • https://github.com/Byron/gitoxide/blob/6cd8b4665bb7582f744c3244abaef812be39ec35/gix-path/src/env/git.rs#L9-L14 https://github.com/Byron/gitoxide/commit/15235bf7968042da0493d431bbc955d6f9f54188 https://github.com/Byron/gitoxide/security/advisories/GHSA-mgvv-9p9g-3jv4 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35197 – gix refs and paths with reserved Windows device names access the devices
https://notcve.org/view.php?id=CVE-2024-35197
gitoxide is a pure Rust implementation of Git. On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances. If Windows is not used, or untrusted repositories are not cloned or otherwise used, then there is no impact. A minor degradation in availability may also be possible, such as with a very large file named `CON`, though the user could interrupt the application. gitoxide es una implementación Rust pura de Git. • https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9 • CWE-67: Improper Handling of Windows Device Names •