Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade gitoxide
to version 0.35.0 or higher.
gitoxide is a command-line application for interacting with git repositories
Affected versions of this package are vulnerable to Command Injection due to the handling of the username part of a URL. An attacker can execute arbitrary code by crafting a clone URL that includes options interpreted by the external ssh
program. This is particularly effective if the application's current working directory contains a malicious file, leading to arbitrary code execution. This vulnerability is exploitable only if the application is run in an untrusted git repository that could contain a specially named ssh
configuration file, making it possible to smuggle in an -F
option referencing the file.
gix clone 'ssh://-oProxyCommand=open$IFS-aCalculator/foo'