CVE-2023-53158: 
Rust vulnerability analysis and mitigation

The gix-transport crate before version 0.36.1 for Rust contains a command execution vulnerability that allows attackers to execute arbitrary commands through maliciously crafted SSH clone URLs. The vulnerability was discovered and disclosed on September 23, 2023, and affects the gix-transport package, which is a component of the gitoxide Git implementation in Rust (GitHub Advisory, RustSec Advisory).

The vulnerability stems from insufficient sanitization of SSH clone URLs, where malicious arguments can be passed to the SSH program. The issue has been assigned CVE-2023-53158 with a CVSS v3.1 score of 4.1 (Medium), based on metrics AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is categorized under CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and CWE-88 (Improper Neutralization of Argument Delimiters in a Command) (GitHub Advisory).

When exploited, this vulnerability allows attackers to execute arbitrary commands on the target system through specially crafted SSH clone URLs. For example, on macOS, an attacker could craft a URL to launch the calculator application using the command 'gix clone ssh://-oProxyCommand=open$IFS-aCalculator/foo' (GitHub Advisory, RustSec Advisory).

The vulnerability has been patched in gix-transport version 0.36.1. Users are strongly advised to upgrade to this version or later to prevent potential exploitation. The fix involves proper sanitization of command-line arguments before they are passed to the SSH program (GitHub PR, RustSec Advisory).