CVE-2024-35186: gix traversal outside working tree enables arbitrary code execution

May 22, 2024 (updated July 8, 2024)

During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application.

References

github.com/Byron/gitoxide
github.com/Byron/gitoxide/security/advisories/GHSA-7w47-3wg8-547c
github.com/advisories/GHSA-7w47-3wg8-547c
nvd.nist.gov/vuln/detail/CVE-2024-35186
rustsec.org/advisories/RUSTSEC-2024-0348.html
rustsec.org/advisories/RUSTSEC-2024-0350.html

Detect and mitigate CVE-2024-35186 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →