CVE-2024-40644: gix-path can use a fake program files location
When looking for Git for Windows so it can run it to report its paths, gix-path can be tricked into running another git.exe placed in an untrusted location by a limited user account.
References
- github.com/Byron/gitoxide
- github.com/Byron/gitoxide/blob/6cd8b4665bb7582f744c3244abaef812be39ec35/gix-path/src/env/git.rs
- github.com/Byron/gitoxide/security/advisories/GHSA-mgvv-9p9g-3jv4
- github.com/advisories/GHSA-mgvv-9p9g-3jv4
- github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2
- nvd.nist.gov/vuln/detail/CVE-2024-40644
Detect and mitigate CVE-2024-40644 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →