CVE-2024-32884
Description
gitoxide is a pure Rust implementation of Git. gix-transport does not check the username part of a URL for text that the external ssh program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. This issue has been patched in versions 0.35.0, 0.42.0 and 0.62.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gix-transportcrates.io | < 0.42.0 | 0.42.0 |
gixcrates.io | < 0.62 | 0.62 |
gitoxidecrates.io | < 0.35 | 0.35 |
Affected products
8- osv-coords7 versionspkg:apk/chainguard/cargo-auditpkg:apk/chainguard/cargo-audit-docpkg:apk/wolfi/cargo-auditpkg:apk/wolfi/cargo-audit-docpkg:cargo/gitoxidepkg:cargo/gixpkg:cargo/gix-transport
< 0.21.2-r1+ 6 more
- (no CPE)range: < 0.21.2-r1
- (no CPE)range: < 0.21.2-r1
- (no CPE)range: < 0.21.2-r1
- (no CPE)range: < 0.21.2-r1
- (no CPE)range: < 0.35
- (no CPE)range: < 0.62
- (no CPE)range: < 0.42.0
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.