CVE-2024-32884

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-32884
gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. This issue has been patched in versions 0.35.0, 0.42.0 and 0.62.0.

6.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh
https://rustsec.org/advisories/RUSTSEC-2024-0335.html
https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh
https://rustsec.org/advisories/RUSTSEC-2024-0335.html
Configurations

No configuration.

History

21 Nov 2024, 09:15

Type Values Removed Values Added
Summary
  • (es) gitoxide es una implementación Rust pura de Git. `gix-transport` no verifica la parte del nombre de usuario de una URL en busca de texto que el programa externo `ssh` interpretaría como una opción. Una URL clonada especialmente manipulada puede pasar de contrabando opciones a SSH. Las posibilidades son sintácticamente limitadas, pero si una aplicación cuyo directorio de trabajo actual contiene un archivo malicioso utiliza una URL de clonación maliciosa, se produce la ejecución de código arbitrario. Esto está relacionado con la vulnerabilidad parcheada GHSA-rrjw-j4m2-mf34, pero parece menos grave debido a una mayor complejidad del ataque. Este problema se solucionó en las versiones 0.35.0, 0.42.0 y 0.62.0.
References () https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh - () https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh -
References () https://rustsec.org/advisories/RUSTSEC-2024-0335.html - () https://rustsec.org/advisories/RUSTSEC-2024-0335.html -

26 Apr 2024, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-04-26 18:15

Updated : 2024-11-21 09:15

NVD link : CVE-2024-32884

Mitre link : CVE-2024-32884

CVE.ORG link : CVE-2024-32884

JSON object : View

Products Affected

No product.

CWE
CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024