// For flags

CVE-2024-32884

gix-transport indirect code execution via malicious username

Severity Score

6.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. This issue has been patched in versions 0.35.0, 0.42.0 and 0.62.0.

gitoxide es una implementación Rust pura de Git. `gix-transport` no verifica la parte del nombre de usuario de una URL en busca de texto que el programa externo `ssh` interpretaría como una opción. Una URL clonada especialmente manipulada puede pasar de contrabando opciones a SSH. Las posibilidades son sintácticamente limitadas, pero si una aplicación cuyo directorio de trabajo actual contiene un archivo malicioso utiliza una URL de clonación maliciosa, se produce la ejecución de código arbitrario. Esto está relacionado con la vulnerabilidad parcheada GHSA-rrjw-j4m2-mf34, pero parece menos grave debido a una mayor complejidad del ataque. Este problema se solucionó en las versiones 0.35.0, 0.42.0 y 0.62.0.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low
Attack Vector
Network
Attack Complexity
High
Authentication
Single
Confidentiality
Complete
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
Poc
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2024-04-19 CVE Reserved
  • 2024-04-26 CVE Published
  • 2024-04-27 EPSS Updated
  • 2024-08-02 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
  • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Byron
Search vendor "Byron"
 Gitoxide
Search vendor "Byron" for product "Gitoxide"
 < 0.42.0
Search vendor "Byron" for product "Gitoxide" and version " < 0.42.0"
en
Affected
Byron
Search vendor "Byron"
 Gitoxide
Search vendor "Byron" for product "Gitoxide"
 < 0.62
Search vendor "Byron" for product "Gitoxide" and version " < 0.62"
en
Affected
Byron
Search vendor "Byron"
 Gitoxide
Search vendor "Byron" for product "Gitoxide"
 < 0.35
Search vendor "Byron" for product "Gitoxide" and version " < 0.35"
en
Affected