CVE-2024-32884
Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)
Published: Apr 26, 2024 / Updated: 6mo ago

010

CVSS 6.4EPSS 0.04%Medium

CVE info copied to clipboard

gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. This issue has been patched in versions 0.35.0, 0.42.0 and 0.62.0.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L

Timeline

CVE Assignment

NVD published the first details for CVE-2024-32884

Apr 26, 2024 at 6:15 PM

CVSS

A CVSS base score of 6.4 has been assigned.

Apr 26, 2024 at 6:20 PM / nvd

First Article

Feedly found the first article mentioning CVE-2024-32884. See article

Apr 26, 2024 at 6:24 PM / National Vulnerability Database

EPSS

EPSS Score was set to: 0.04% (Percentile: 8.2%)

Apr 27, 2024 at 10:04 AM

Threat Intelligence Report

CVE-2024-32884 is a critical vulnerability in Gitoxide that allows for arbitrary code execution when a specially crafted clone URL is used in an application with a malicious file in its working directory. While the attack complexity is higher than a previously patched vulnerability, it still poses a significant risk. Patches are available in versions 0.35.0, 0.42.0, and 0.62.0 to mitigate this issue. See article

Apr 29, 2024 at 10:00 PM

CVSS Estimate

Feedly estimated the CVSS score as HIGH

Aug 19, 2024 at 10:52 PM