CVE-2024-45405: gix-path improperly resolves configuration path reported by Git
(updated )
gix-path runs git to find the path of a configuration file associated with the git installation, but improperly resolves paths containing unusual or non-ASCII characters, in rare cases enabling a local attacker to inject configuration leading to code execution.
References
- github.com/Byron/gitoxide
- github.com/Byron/gitoxide/blob/1cfe577d461293879e91538dbc4bbfe01722e1e8/gix-path/src/env/git/mod.rs
- github.com/Byron/gitoxide/commit/650a1b5cf25e086197cc55a68525a411e1c28031
- github.com/Byron/gitoxide/security/advisories/GHSA-m8rp-vv92-46c7
- github.com/advisories/GHSA-m8rp-vv92-46c7
- nvd.nist.gov/vuln/detail/CVE-2024-45405
- rustsec.org/advisories/RUSTSEC-2024-0371.html
Detect and mitigate CVE-2024-45405 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →