CVE-2024-32884

gix-transport indirect code execution via malicious username

Severity Score

6.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. This issue has been patched in versions 0.35.0, 0.42.0 and 0.62.0.

gitoxide es una implementación Rust pura de Git. `gix-transport` no verifica la parte del nombre de usuario de una URL en busca de texto que el programa externo `ssh` interpretaría como una opción. Una URL clonada especialmente manipulada puede pasar de contrabando opciones a SSH. Las posibilidades son sintácticamente limitadas, pero si una aplicación cuyo directorio de trabajo actual contiene un archivo malicioso utiliza una URL de clonación maliciosa, se produce la ejecución de código arbitrario. Esto está relacionado con la vulnerabilidad parcheada GHSA-rrjw-j4m2-mf34, pero parece menos grave debido a una mayor complejidad del ataque. Este problema se solucionó en las versiones 0.35.0, 0.42.0 y 0.62.0.

*Credits: N/A

CVSS Scores

GitHubv3.1 6.4

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-04-19 CVE Reserved
2024-04-26 CVE Published
2024-04-27 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

CAPEC

References (2)

URL	Tag	Source
https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh	X_refsource_confirm
https://rustsec.org/advisories/RUSTSEC-2024-0335.html	X_refsource_misc

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Byron Search vendor "Byron"		Gitoxide Search vendor "Byron" for product "Gitoxide"				< 0.42.0 Search vendor "Byron" for product "Gitoxide" and version " < 0.42.0"		en		Affected
Byron Search vendor "Byron"		Gitoxide Search vendor "Byron" for product "Gitoxide"				< 0.62 Search vendor "Byron" for product "Gitoxide" and version " < 0.62"		en		Affected
Byron Search vendor "Byron"		Gitoxide Search vendor "Byron" for product "Gitoxide"				< 0.35 Search vendor "Byron" for product "Gitoxide" and version " < 0.35"		en		Affected