High severity8.8OSV Advisory· Published May 23, 2024· Updated Apr 15, 2026
CVE-2024-35186
CVE-2024-35186
Description
gitoxide is a pure Rust implementation of Git. During checkout, gix-worktree-state does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads to a major loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well. This vulnerability has been patched in version(s) 0.36.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gix-worktree-statecrates.io | < 0.11.0 | 0.11.0 |
gitoxidecrates.io | < 0.36.0 | 0.36.0 |
gix-fscrates.io | < 0.11.0 | 0.11.0 |
gix-worktreecrates.io | < 0.34.0 | 0.34.0 |
gixcrates.io | < 0.63.0 | 0.63.0 |
gitoxide-corecrates.io | < 0.38.0 | 0.38.0 |
gix-indexcrates.io | < 0.33.0 | 0.33.0 |
Affected products
13- osv-coords12 versionspkg:apk/chainguard/cargo-auditpkg:apk/chainguard/cargo-audit-docpkg:apk/wolfi/cargo-auditpkg:apk/wolfi/cargo-audit-docpkg:cargo/gitoxidepkg:cargo/gitoxide-corepkg:cargo/gixpkg:cargo/gix-fspkg:cargo/gix-indexpkg:cargo/gix-worktreepkg:cargo/gix-worktree-statepkg:rpm/opensuse/gitoxide&distro=openSUSE%20Tumbleweed
< 0.21.2-r1+ 11 more
- (no CPE)range: < 0.21.2-r1
- (no CPE)range: < 0.21.2-r1
- (no CPE)range: < 0.21.2-r1
- (no CPE)range: < 0.21.2-r1
- (no CPE)range: < 0.36.0
- (no CPE)range: < 0.38.0
- (no CPE)range: < 0.63.0
- (no CPE)range: < 0.11.0
- (no CPE)range: < 0.33.0
- (no CPE)range: < 0.34.0
- (no CPE)range: < 0.11.0
- (no CPE)range: < 0.36.0-1.1
Patches
Vulnerability mechanics
References
5News mentions
0No linked articles in our index yet.