Command Injection Affecting gitoxide package, versions <0.35.0


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Command Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RUST-GITOXIDE-6689284
  • published28 Apr 2024
  • disclosed15 Apr 2024
  • creditEliah Kagan

Introduced: 15 Apr 2024

CVE-2024-32884  (opens in a new tab)
CWE-77  (opens in a new tab)

How to fix?

Upgrade gitoxide to version 0.35.0 or higher.

Overview

gitoxide is a command-line application for interacting with git repositories

Affected versions of this package are vulnerable to Command Injection due to the handling of the username part of a URL. An attacker can execute arbitrary code by crafting a clone URL that includes options interpreted by the external ssh program. This is particularly effective if the application's current working directory contains a malicious file, leading to arbitrary code execution. This vulnerability is exploitable only if the application is run in an untrusted git repository that could contain a specially named ssh configuration file, making it possible to smuggle in an -F option referencing the file.

PoC

gix clone 'ssh://-oProxyCommand=open$IFS-aCalculator/foo'

CVSS Scores

version 3.1