Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseRUSTSEC-2024-0350
RUSTSEC-2024-0350:
Rust vulnerability analysis and mitigation
Overview
The vulnerability (RUSTSEC-2024-0350) affects gitoxide, a pure Rust implementation of Git. During checkout operations, the gix-worktree-state component fails to verify that paths point to locations within the working tree. This vulnerability was discovered and disclosed in May 2024, affecting multiple components including gitoxide (<0.36.0), gix-fs (<0.11.0), gix-index (<0.33.0), and gix-worktree (<0.34.0). The issue allows attackers to exploit path traversal weaknesses to place files outside the intended working directory (GitHub Advisory).
Technical details
The vulnerability stems from insufficient path validation in multiple components. While gix-worktree-state checks for collisions with existing files, it fails to verify if paths are within the working tree during checkout operations. The issue can be exploited through various methods, including using trees named '..' for upward traversal, '.git' for accessing git directories, or using path separators (/ or ) in tree or blob names. The vulnerability is particularly concerning on case-insensitive filesystems and systems with specific configurations like NTFS with 8.3 aliasing enabled. The severity is rated as High with a CVSS score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (GitHub Advisory).
Impact
The vulnerability can lead to arbitrary code execution and unauthorized file creation outside the repository directory. When exploited, it enables attackers to place files anywhere writable by the application, potentially leading to complete loss of confidentiality, integrity, and availability. Even without code execution, the ability to create files outside the working tree directly impacts system integrity. The impact is particularly severe when cloning untrusted repositories, though it may be less critical in isolated CI/CD environments (GitHub Advisory).
Mitigation and workarounds
The vulnerability has been patched in multiple components: gitoxide version 0.36.0, gix-fs version 0.11.0, gix-index version 0.33.0, and gix-worktree version 0.34.0. Users are strongly advised to upgrade to these or later versions to mitigate the vulnerability (Debian Security Tracker, GitHub Advisory).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management