Command Injection Affecting gitoxide package, versions <0.35.0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUST-GITOXIDE-6689284
- published 28 Apr 2024
- disclosed 15 Apr 2024
- credit Eliah Kagan
Introduced: 15 Apr 2024
CVE-2024-32884 Open this link in a new tabHow to fix?
Upgrade gitoxide to version 0.35.0 or higher.
Overview
gitoxide is a command-line application for interacting with git repositories
Affected versions of this package are vulnerable to Command Injection due to the handling of the username part of a URL. An attacker can execute arbitrary code by crafting a clone URL that includes options interpreted by the external ssh program. This is particularly effective if the application's current working directory contains a malicious file, leading to arbitrary code execution. This vulnerability is exploitable only if the application is run in an untrusted git repository that could contain a specially named ssh configuration file, making it possible to smuggle in an -F option referencing the file.
PoC
gix clone 'ssh://-oProxyCommand=open$IFS-aCalculator/foo'