CVE-2024-51990

jj, or Jujutsu, is a Git-compatible VCS written in rust. In affected versions specially crafted Git repositories can cause `jj` to write files outside the clone. This issue has been addressed in version 0.23.0. Users are advised to upgrade. Users unable to upgrade should avoid cloning repos from unknown sources.

CVSS

No CVSS.

References

Link	Resource
https://github.com/martinvonz/jj/security/advisories/GHSA-88h5-6w7m-5w56

Configurations

No configuration.

History

08 Nov 2024, 19:01

Type	Values Removed	Values Added
Summary		(es) jj, o Jujutsu, es un VCS compatible con Git escrito en rust. En las versiones afectadas, los repositorios Git especialmente manipulados pueden hacer que `jj` escriba archivos fuera del clon. Este problema se ha solucionado en la versión 0.23.0. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben evitar clonar repositorios de fuentes desconocidas.

07 Nov 2024, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-07 01:15

Updated : 2024-11-08 19:01

NVD link : CVE-2024-51990

Mitre link : CVE-2024-51990

CVE.ORG link : CVE-2024-51990

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2024-51990", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 9.3, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "HIGH", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-11-07T01:15:03.497", "references": [{"url": "https://github.com/martinvonz/jj/security/advisories/GHSA-88h5-6w7m-5w56", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "jj, or Jujutsu, is a Git-compatible VCS written in rust. In affected versions specially crafted Git repositories can cause `jj` to write files outside the clone. This issue has been addressed in version 0.23.0. Users are advised to upgrade. Users unable to upgrade should avoid cloning repos from unknown sources."}, {"lang": "es", "value": "jj, o Jujutsu, es un VCS compatible con Git escrito en rust. En las versiones afectadas, los repositorios Git especialmente manipulados pueden hacer que `jj` escriba archivos fuera del clon. Este problema se ha solucionado en la versi\u00f3n 0.23.0. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben evitar clonar repositorios de fuentes desconocidas."}], "lastModified": "2024-11-08T19:01:25.633", "sourceIdentifier": "security-advisories@github.com"}