Plattform
rust
Komponente
gix-worktree-state
Behoben in
0.36.1
0.11.0
CVE-2024-35186 is a high-severity vulnerability affecting gitoxide, a Rust implementation of Git. This vulnerability allows an attacker to write arbitrary files during the checkout process, potentially leading to unauthorized access and system compromise. The issue arises from insufficient validation of paths during checkout, allowing specially crafted repositories to place files outside the intended repository directory. Affected versions are those prior to 0.11.0, and a fix has been released.
The core of this vulnerability lies in gitoxide's insufficient path validation during checkout operations. When cloning a repository, the application doesn't adequately verify that the paths within the repository point to locations within the intended working tree. An attacker can leverage this by crafting a repository containing specially named tree or blob objects. Upon cloning, gitoxide will attempt to create files based on these names, potentially writing them to any location writable by the application process. This could include overwriting critical system files, injecting malicious code, or gaining unauthorized access to sensitive data. The blast radius extends beyond the repository itself, potentially impacting the entire system if the application runs with elevated privileges.
CVE-2024-35186 was publicly disclosed on May 22, 2024. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the ease of exploitation. The vulnerability's impact is significant due to its potential for arbitrary file writes, making it a high-priority concern for users of gitoxide.
Developers and systems administrators who use gitoxide in their workflows are at risk. This includes those involved in CI/CD pipelines, automated build processes, and any environment where Git repositories are cloned from untrusted sources. Shared hosting environments where multiple users have write access to the same Git repository are particularly vulnerable.
• linux / server:
find /path/to/git/working/directory -type f -not -path "*/.git/*" -printf '%f\n' | sort | uniq -c | sort -nr | head -10This command searches for the 10 most frequently created files in the Git working directory, which could indicate malicious file creation. • windows / supply-chain:
Get-ChildItem -Path $env:TEMP -Recurse -File | Sort-Object LastWriteTime -Descending | Select-Object -First 10This PowerShell command lists the 10 most recently modified files in the temporary directory, which could reveal suspicious file activity. • generic web:
curl -I <gitoxide_repository_url> | grep 'Content-Type:'Inspect the Content-Type header of the Git repository URL to ensure it's a valid Git repository and not attempting to serve malicious content.
disclosure
Exploit-Status
EPSS
0.43% (63% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-35186 is to immediately upgrade to gitoxide version 0.11.0 or later. This version includes the necessary path validation checks to prevent arbitrary file writes. If upgrading is not immediately feasible, consider implementing stricter file system permissions to limit the application's write access. While a WAF or proxy cannot directly prevent this vulnerability, they can be configured to monitor for unusual file creation patterns or suspicious file names. There are no known specific Sigma or YARA rules for this vulnerability, but monitoring for unexpected file creation events within the gitoxide working directory is recommended. After upgrading, confirm the fix by attempting to clone a known malicious repository (if available) and verifying that files are not created outside the intended repository directory.
Actualice la biblioteca gitoxide a la versión 0.36.0 o superior. Esto corregirá la vulnerabilidad de recorrido de directorio que permite la ejecución de código arbitrario. Asegúrese de actualizar todas las dependencias que utilicen gitoxide para evitar la propagación de la vulnerabilidad.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-35186 is a high-severity vulnerability in gitoxide that allows attackers to write arbitrary files during the checkout process, potentially leading to system compromise.
You are affected if you are using gitoxide versions prior to 0.11.0. Upgrade to the latest version to mitigate the risk.
Upgrade to gitoxide version 0.11.0 or later. This version includes the necessary fixes to prevent arbitrary file writes.
Active exploitation campaigns are not currently confirmed, but the potential for abuse is high due to the vulnerability's severity and ease of exploitation.
Refer to the gitoxide repository on GitHub for the latest information and advisory: [https://github.com/gitoxide/gitoxide](https://github.com/gitoxide/gitoxide)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Cargo.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.