CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-22620 – gix-worktree-state nonexclusive checkout sets executable files world-writable
https://notcve.org/view.php?id=CVE-2025-22620
20 Jan 2025 — gitoxide is an implementation of git written in Rust. Prior to 0.17.0, gix-worktree-state specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject to the umask. This causes files in a repository to be world-writable in some situations. This vulnerability is fixed in 0.17.0. • https://github.com/EliahKagan/checkout-index • CWE-281: Improper Preservation of Permissions CWE-687: Function Call With Incorrectly Specified Argument Value •
CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45405 – gix-path improperly resolves configuration path reported by Git
https://notcve.org/view.php?id=CVE-2024-45405
06 Sep 2024 — `gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolves paths containing unusual or non-ASCII characters, in rare cases enabling a local attacker to inject configuration leading to code execution. Version 0.10.11 contains a patch for the issue. In `gix_path::env`, the underlying imple... • https://github.com/Byron/gitoxide/blob/1cfe577d461293879e91538dbc4bbfe01722e1e8/gix-path/src/env/git/mod.rs#L138-L142 • CWE-41: Improper Resolution of Path Equivalence CWE-427: Uncontrolled Search Path Element •
CVSS: 2.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45305 – gix-path uses local config across repos when it is the highest scope
https://notcve.org/view.php?id=CVE-2024-45305
02 Sep 2024 — gix-path is a crate of the gitoxide project dealing with git paths and their conversions. `gix-path` executes `git` to find the path of a configuration file that belongs to the `git` installation itself, but mistakenly treats the local repository's configuration as system-wide if no higher scoped configuration is found. In rare cases, this causes a less trusted repository to be treated as more trusted, or leaks sensitive information from one repository to another, such as sending credentials to another repo... • https://github.com/Byron/gitoxide/security/advisories/GHSA-v26r-4c9c-h3j6 • CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVSS: 2.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43785 – gitoxide-core does not neutralize special characters for terminals
https://notcve.org/view.php?id=CVE-2024-43785
22 Aug 2024 — gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. gitoxide-core, which provides most underlying functionality of the gix and ein commands, does not neutralize newlines, backspaces, or control characters—including those that form ANSI escape sequences—that appear in a repository's paths, author and committer names, commit messages, or other metadata. Such text may be written as part of the output of a command, as well as appearing in error messages when an operation fails. This someti... • https://github.com/Byron/gitoxide/security/advisories/GHSA-88g2-r9rw-g55h • CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-40644 – gitoxide's gix-path can use a fake program files location
https://notcve.org/view.php?id=CVE-2024-40644
18 Jul 2024 — gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. `gix-path` can be tricked into running another `git.exe` placed in an untrusted location by a limited user account on Windows systems. Windows permits limited user accounts without administrative privileges to create new directories in the root of the system drive. While `gix-path` first looks for `git` using a `PATH` search, in version 0.10.8 it also has a fallback strategy on Windows of checking two hard-coded paths intended to be t... • https://github.com/Byron/gitoxide/blob/6cd8b4665bb7582f744c3244abaef812be39ec35/gix-path/src/env/git.rs#L9-L14 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35197 – gix refs and paths with reserved Windows device names access the devices
https://notcve.org/view.php?id=CVE-2024-35197
23 May 2024 — gitoxide is a pure Rust implementation of Git. On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances. If Windows is not used, or untrusted repositories are not cloned or ot... • https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9 • CWE-67: Improper Handling of Windows Device Names •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35186 – gix traversal outside working tree enables arbitrary code execution
https://notcve.org/view.php?id=CVE-2024-35186
23 May 2024 — gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads to a major loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well. This vulnerability has been patched in version(s) 0... • https://github.com/Byron/gitoxide/security/advisories/GHSA-7w47-3wg8-547c • CWE-23: Relative Path Traversal •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-32884 – gix-transport indirect code execution via malicious username
https://notcve.org/view.php?id=CVE-2024-32884
26 Apr 2024 — gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less sev... • https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •