CVE-2024-51990: 
Rust vulnerability analysis and mitigation

jj (Jujutsu), a Git-compatible Version Control System written in Rust, was found to be vulnerable to path traversal attacks in versions prior to 0.23.0. The vulnerability (CVE-2024-51990) was discovered and disclosed on November 6, 2024, allowing attackers to write files outside the clone directory through specially crafted Git repositories (GitHub Advisory).

The vulnerability stems from improper path validation when handling file objects containing path traversals in Git repositories. When cloning a maliciously crafted repository, jj fails to properly sanitize paths containing '../' sequences, allowing writes to arbitrary locations outside the intended clone directory. The vulnerability has been assigned a CVSS v4.0 score of 9.3 CRITICAL with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N, indicating high severity with network attack vector and no special privileges required (NVD).

Successful exploitation of this vulnerability allows attackers to write files to arbitrary locations outside the clone directory, potentially leading to system compromise through malicious file placement. The attack can be initiated remotely through a specially crafted Git repository (GitHub Advisory).

The vulnerability has been patched in version 0.23.0 of jj. Users are strongly advised to upgrade to this version. For users unable to upgrade immediately, the only workaround is to avoid cloning repositories from untrusted sources (GitHub Advisory).