CVE-2024-45305: gix-path uses local config across repos when it is the highest scope
gix-path executes git to find the path of a configuration file that belongs to the git installation itself, but mistakenly treats the local repository’s configuration as system-wide if no higher scoped configuration is found. In rare cases, this causes a less trusted repository to be treated as more trusted, or leaks sensitive information from one repository to another, such as sending credentials to another repository’s remote.
References
- git-scm.com/docs/git-config
- github.com/Byron/gitoxide
- github.com/Byron/gitoxide/blob/12251eb052df30105538fa831e641eea557f13d8/gix-path/src/env/git/mod.rs
- github.com/Byron/gitoxide/blob/12251eb052df30105538fa831e641eea557f13d8/gix-path/src/env/git/mod.rs
- github.com/Byron/gitoxide/security/advisories/GHSA-v26r-4c9c-h3j6
- github.com/advisories/GHSA-v26r-4c9c-h3j6
- nvd.nist.gov/vuln/detail/CVE-2024-45305
- rustsec.org/advisories/RUSTSEC-2024-0367.html
Detect and mitigate CVE-2024-45305 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →