Platform
rust
Component
gix-worktree-state
Fixed in
0.36.1
0.11.0
CVE-2024-35186 is a high-severity vulnerability affecting gitoxide, a Rust implementation of Git. This vulnerability allows an attacker to write arbitrary files during the checkout process, potentially leading to unauthorized access and system compromise. The issue arises from insufficient validation of paths during checkout, allowing specially crafted repositories to place files outside the intended repository directory. Affected versions are those prior to 0.11.0, and a fix has been released.
The impact of CVE-2024-35186 is significant due to the potential for arbitrary file writes. An attacker could leverage this vulnerability by crafting a malicious Git repository and tricking a user into cloning it. Upon cloning, the repository would create files in arbitrary writable locations on the system. This could include overwriting critical system files, injecting malicious code into existing files, or creating backdoor accounts. The blast radius extends beyond the repository itself, potentially impacting the entire system. This vulnerability shares similarities with other path traversal vulnerabilities where insufficient input validation allows attackers to manipulate file paths.
CVE-2024-35186 was publicly disclosed on May 22, 2024. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the ease of exploitation and the high severity of the vulnerability. Active exploitation campaigns are not currently confirmed, but the potential for abuse is high.
Exploit Status
EPSS
0.43% (63% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-35186 is to upgrade to gitoxide version 0.11.0 or later, which includes the necessary fixes. If upgrading immediately is not feasible, consider temporarily restricting write access to the working directory to prevent attackers from creating files outside the repository. Additionally, carefully scrutinize Git repositories before cloning them, especially those from untrusted sources. There are no specific WAF or proxy rules that can directly address this vulnerability, as it occurs during the Git checkout process itself. Monitor system logs for unusual file creation activity within the Git working directory.
Actualice la biblioteca gitoxide a la versión 0.36.0 o superior. Esto corregirá la vulnerabilidad de recorrido de directorio que permite la ejecución de código arbitrario. Asegúrese de actualizar todas las dependencias que utilicen gitoxide para evitar la propagación de la vulnerabilidad.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-35186 is a high-severity vulnerability in gitoxide that allows attackers to write arbitrary files during the checkout process, potentially leading to system compromise.
You are affected if you are using gitoxide versions prior to 0.11.0. Upgrade to the latest version to mitigate the risk.
Upgrade to gitoxide version 0.11.0 or later. This version includes the necessary fixes to prevent arbitrary file writes.
Active exploitation campaigns are not currently confirmed, but the potential for abuse is high due to the vulnerability's severity and ease of exploitation.
Refer to the gitoxide repository on GitHub for the latest information and advisory: [https://github.com/gitoxide/gitoxide](https://github.com/gitoxide/gitoxide)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Cargo.lock file and we'll tell you instantly if you're affected.