CVE-2024-35186

{"id": "CVE-2024-35186", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-05-23T09:15:09.620", "references": [{"url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-7w47-3wg8-547c", "source": "security-advisories@github.com"}, {"url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-7w47-3wg8-547c", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-23"}]}], "descriptions": [{"lang": "en", "value": "gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads to a major loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well. This vulnerability has been patched in version(s) 0.36.0."}, {"lang": "es", "value": "gitoxide es una implementaci\u00f3n Rust pura de Git. Durante el pago, `gix-worktree-state` no verifica que las rutas apunten a ubicaciones en el \u00e1rbol de trabajo. Un repositorio especialmente manipulado puede, cuando se clona, colocar archivos nuevos en cualquier lugar donde la aplicaci\u00f3n pueda escribirlos. Esta vulnerabilidad provoca una p\u00e9rdida importante de confidencialidad, integridad y disponibilidad, pero la creaci\u00f3n de archivos fuera de un \u00e1rbol de trabajo sin intentar ejecutar c\u00f3digo tambi\u00e9n puede afectar directamente la integridad. Esta vulnerabilidad ha sido parcheada en las versiones 0.36.0."}], "lastModified": "2024-11-21T09:19:53.587", "sourceIdentifier": "security-advisories@github.com"}