Platform
rust
Component
jj-lib
Fixed in
0.23.1
0.23.0
CVE-2024-51990 describes a Path Traversal vulnerability discovered in jj-lib, a Git-compatible data store. This vulnerability allows attackers to write files outside the intended clone directory by leveraging specially crafted Git repositories. The vulnerability impacts versions of jj-lib prior to 0.23.0. A fix has been released in version 0.23.0, and users are advised to upgrade.
The primary impact of CVE-2024-51990 is the potential for arbitrary file writes. An attacker who can control the contents of a Git repository cloned by jj-lib can craft a repository containing file objects with path traversal sequences. This allows the attacker to specify arbitrary file paths outside the intended clone directory, effectively writing files to locations they shouldn't have access to. The blast radius depends on the permissions of the user running jj-lib; a privileged user could potentially compromise the entire system. This vulnerability is similar in concept to other path traversal exploits, where attackers manipulate file paths to access or modify unauthorized resources.
CVE-2024-51990 was publicly disclosed on 2024-11-07. There are no known active exploitation campaigns targeting this vulnerability at the time of writing. A public proof-of-concept (PoC) was provided in the original report by @joernchen, demonstrating the vulnerability's exploitability. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.17% (39% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-51990 is to upgrade to version 0.23.0 or later of jj-lib. If upgrading is not immediately feasible, the most effective workaround is to strictly avoid cloning Git repositories from untrusted sources. Carefully vet the origin and contents of any repository before cloning it with jj-lib. There are no specific WAF or proxy rules that can directly mitigate this vulnerability, as it occurs during the file processing stage within jj-lib itself. Monitoring file system activity for unexpected writes outside the expected clone directory could provide some detection capabilities, but this is not a substitute for patching.
Actualice jj a la versión 0.23.0 o superior. Si no puede actualizar, evite clonar repositorios de fuentes desconocidas para mitigar el riesgo de path traversal. La actualización es la solución recomendada para protegerse contra esta vulnerabilidad.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-51990 is a Path Traversal vulnerability in jj-lib, allowing attackers to write files outside the intended clone directory using crafted Git repositories.
You are affected if you are using a version of jj-lib prior to 0.23.0 and clone repositories from untrusted sources.
Upgrade to version 0.23.0 or later of jj-lib. As a temporary workaround, avoid cloning repositories from untrusted sources.
There are currently no known active exploitation campaigns targeting CVE-2024-51990, but a public proof-of-concept exists.
Refer to the jj-lib project's release notes and GitHub repository for updates and advisories related to CVE-2024-51990.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Cargo.lock file and we'll tell you instantly if you're affected.