CVE-2024-35197: gix refs and paths with reserved Windows device names access the devices
(updated )
On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances.
References
- github.com/Byron/gitoxide
- github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9
- github.com/advisories/GHSA-49jc-r788-3fc9
- nvd.nist.gov/vuln/detail/CVE-2024-35197
- rustsec.org/advisories/RUSTSEC-2024-0351.html
- rustsec.org/advisories/RUSTSEC-2024-0352.html
- rustsec.org/advisories/RUSTSEC-2024-0353.html
Code Behaviors & Features
Detect and mitigate CVE-2024-35197 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →