cvelistv5 - cve-2024-32884

CVE-2024-32884 (GCVE-0-2024-32884)

Vulnerability from cvelistv5

Published

2024-04-26 18:04

Modified

2024-08-02 02:20

Severity ?

6.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L

CWE

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Summary

gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. This issue has been patched in versions 0.35.0, 0.42.0 and 0.62.0.

References

►

URL

Tags

	security-advisories@github.com	https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh
	security-advisories@github.com	https://rustsec.org/advisories/RUSTSEC-2024-0335.html
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh
	af854a3a-2127-422b-91ae-364da2661108	https://rustsec.org/advisories/RUSTSEC-2024-0335.html

Impacted products

	Vendor	Product	Version
	Byron	gitoxide	Version: < 0.42.0 Version: < 0.62 Version: < 0.35

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:byron:gitoxide:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "gitoxide",
            "vendor": "byron",
            "versions": [
              {
                "lessThan": "0.35.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThan": "0.62.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThan": "0.42.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-32884",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-01T17:14:15.110574Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:49:52.416Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:20:35.704Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh"
          },
          {
            "name": "https://rustsec.org/advisories/RUSTSEC-2024-0335.html",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://rustsec.org/advisories/RUSTSEC-2024-0335.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gitoxide",
          "vendor": "Byron",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.42.0"
            },
            {
              "status": "affected",
              "version": "\u003c 0.62"
            },
            {
              "status": "affected",
              "version": "\u003c 0.35"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. This issue has been patched in versions 0.35.0, 0.42.0 and 0.62.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-88",
              "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-26T18:04:04.374Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh"
        },
        {
          "name": "https://rustsec.org/advisories/RUSTSEC-2024-0335.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://rustsec.org/advisories/RUSTSEC-2024-0335.html"
        }
      ],
      "source": {
        "advisory": "GHSA-98p4-xjmm-8mfh",
        "discovery": "UNKNOWN"
      },
      "title": "gix-transport indirect code execution via malicious username"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-32884",
    "datePublished": "2024-04-26T18:04:04.374Z",
    "dateReserved": "2024-04-19T14:07:11.231Z",
    "dateUpdated": "2024-08-02T02:20:35.704Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-32884\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-04-26T18:15:46.167\",\"lastModified\":\"2024-11-21T09:15:56.180\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. This issue has been patched in versions 0.35.0, 0.42.0 and 0.62.0.\"},{\"lang\":\"es\",\"value\":\"gitoxide es una implementaci\u00f3n Rust pura de Git. `gix-transport` no verifica la parte del nombre de usuario de una URL en busca de texto que el programa externo `ssh` interpretar\u00eda como una opci\u00f3n. Una URL clonada especialmente manipulada puede pasar de contrabando opciones a SSH. Las posibilidades son sint\u00e1cticamente limitadas, pero si una aplicaci\u00f3n cuyo directorio de trabajo actual contiene un archivo malicioso utiliza una URL de clonaci\u00f3n maliciosa, se produce la ejecuci\u00f3n de c\u00f3digo arbitrario. Esto est\u00e1 relacionado con la vulnerabilidad parcheada GHSA-rrjw-j4m2-mf34, pero parece menos grave debido a una mayor complejidad del ataque. Este problema se solucion\u00f3 en las versiones 0.35.0, 0.42.0 y 0.62.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.6,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"},{\"lang\":\"en\",\"value\":\"CWE-88\"}]}],\"references\":[{\"url\":\"https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://rustsec.org/advisories/RUSTSEC-2024-0335.html\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://rustsec.org/advisories/RUSTSEC-2024-0335.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"gix-transport indirect code execution via malicious username\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-77\", \"lang\": \"en\", \"description\": \"CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)\", \"type\": \"CWE\"}]}, {\"descriptions\": [{\"cweId\": \"CWE-88\", \"lang\": \"en\", \"description\": \"CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"LOW\", \"baseScore\": 6.4, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh\"}, {\"name\": \"https://rustsec.org/advisories/RUSTSEC-2024-0335.html\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://rustsec.org/advisories/RUSTSEC-2024-0335.html\"}], \"affected\": [{\"vendor\": \"Byron\", \"product\": \"gitoxide\", \"versions\": [{\"version\": \"\u003c 0.42.0\", \"status\": \"affected\"}, {\"version\": \"\u003c 0.62\", \"status\": \"affected\"}, {\"version\": \"\u003c 0.35\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-04-26T18:04:04.374Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. This issue has been patched in versions 0.35.0, 0.42.0 and 0.62.0.\"}], \"source\": {\"advisory\": \"GHSA-98p4-xjmm-8mfh\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-32884\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-01T17:14:15.110574Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:byron:gitoxide:*:*:*:*:*:*:*:*\"], \"vendor\": \"byron\", \"product\": \"gitoxide\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.35.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.62.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.42.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-01T17:07:27.869Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-32884\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-04-19T14:07:11.231Z\", \"datePublished\": \"2024-04-26T18:04:04.374Z\", \"dateUpdated\": \"2024-06-04T17:49:52.416Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2024-32884

Vulnerability from fkie_nvd

Published

2024-04-26 18:15

Modified

2024-11-21 09:15

Severity ?

6.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L

Summary

References

▶	URL	Tags
	security-advisories@github.com	https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh
	security-advisories@github.com	https://rustsec.org/advisories/RUSTSEC-2024-0335.html
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh
	af854a3a-2127-422b-91ae-364da2661108	https://rustsec.org/advisories/RUSTSEC-2024-0335.html

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. This issue has been patched in versions 0.35.0, 0.42.0 and 0.62.0."
    },
    {
      "lang": "es",
      "value": "gitoxide es una implementaci\u00f3n Rust pura de Git. `gix-transport` no verifica la parte del nombre de usuario de una URL en busca de texto que el programa externo `ssh` interpretar\u00eda como una opci\u00f3n. Una URL clonada especialmente manipulada puede pasar de contrabando opciones a SSH. Las posibilidades son sint\u00e1cticamente limitadas, pero si una aplicaci\u00f3n cuyo directorio de trabajo actual contiene un archivo malicioso utiliza una URL de clonaci\u00f3n maliciosa, se produce la ejecuci\u00f3n de c\u00f3digo arbitrario. Esto est\u00e1 relacionado con la vulnerabilidad parcheada GHSA-rrjw-j4m2-mf34, pero parece menos grave debido a una mayor complejidad del ataque. Este problema se solucion\u00f3 en las versiones 0.35.0, 0.42.0 y 0.62.0."
    }
  ],
  "id": "CVE-2024-32884",
  "lastModified": "2024-11-21T09:15:56.180",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-04-26T18:15:46.167",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0335.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0335.html"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-77"
        },
        {
          "lang": "en",
          "value": "CWE-88"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

gsd-2024-32884

Vulnerability from gsd

Modified

2024-04-20 05:02

Details

Aliases

CVE-2024-32884

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-32884"
      ],
      "details": "gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. This issue has been patched in versions 0.35.0, 0.42.0 and 0.62.0.",
      "id": "GSD-2024-32884",
      "modified": "2024-04-20T05:02:00.398503Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-32884",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "gitoxide",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 0.42.0"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 0.62"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 0.35"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Byron"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. This issue has been patched in versions 0.35.0, 0.42.0 and 0.62.0."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-77",
                "lang": "eng",
                "value": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
              }
            ]
          },
          {
            "description": [
              {
                "cweId": "CWE-88",
                "lang": "eng",
                "value": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh",
            "refsource": "MISC",
            "url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh"
          },
          {
            "name": "https://rustsec.org/advisories/RUSTSEC-2024-0335.html",
            "refsource": "MISC",
            "url": "https://rustsec.org/advisories/RUSTSEC-2024-0335.html"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-98p4-xjmm-8mfh",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. This issue has been patched in versions 0.35.0, 0.42.0 and 0.62.0."
          }
        ],
        "id": "CVE-2024-32884",
        "lastModified": "2024-04-26T19:59:19.793",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
                "version": "3.1"
              },
              "exploitabilityScore": 1.6,
              "impactScore": 4.7,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-04-26T18:15:46.167",
        "references": [
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://rustsec.org/advisories/RUSTSEC-2024-0335.html"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-77"
              },
              {
                "lang": "en",
                "value": "CWE-88"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

ghsa-98p4-xjmm-8mfh

Vulnerability from github

Published

2024-04-15 19:33

Modified

2024-07-05 18:07

Severity ?

6.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L

Summary

gix-transport indirect code execution via malicious username

Details

Summary

gix-transport does not check the username part of a URL for text that the external ssh program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs.

Details

This is related to the patched vulnerability https://github.com/advisories/GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. Since https://github.com/Byron/gitoxide/pull/1032, gix-transport checks the host and path portions of a URL for text that has a - in a position that will cause ssh to interpret part of all of the URL as an option argument. But it does not check the non-mandatory username portion of the URL.

As in Git, when an address is a URL of the form ssh://username@hostname/path, or when it takes the special form username@hostname:dirs/repo, this is treated as an SSH URL. gix-transport will replace some characters in username with their %-based URL encodings, but otherwise passes username@hostname as an argument to the external ssh command. This happens even if username begins with a hyphen. In that case, ssh treats that argument as an option argument, and attempts to interpret and honor it as a sequence of one or more options possibly followed by an operand for the last option.

This is harder to exploit than GHSA-rrjw-j4m2-mf34, because the possibilities are constrained by:

The difficulty of forming an option argument ssh accepts, given that characters such as =, /, and \, are URL-encoded, : is removed, and the argument passed to ssh contains the @ sign and subsequent host identifier, which in an effective attack must be parseable as a suffix of the operand passed to the last option.

The inability to include a literal = prevents the use of -oNAME=VALUE (e.g., -oProxyCommand=payload). The inability to include a literal / or \ prevents smuggling in a path operand residing outside the current working directory, incuding on Windows. (Although a ~ character may be smuggled in, ssh does not perform its own tilde expansion, so it does not form an absolute path.)

The difficulty, or perhaps impossibility, of completing a connection (other than when arbitrary code execution has been achieved). This complicates or altogether prevents the use of options such as -A and -X together with a connection to a real but malicious server. The reason a connection cannot generally be completed when exploiting this vulnerability is that, because the argument gix-transport intends as a URL is treated as an option argument, ssh treats the subsequent non-option argument git-upload-pack as the host instead of the command, but it is not a valid host name.

Although ssh supports aliases for hosts, even if git-upload-pack could be made an alias, that is made difficult by the URL-encoding transformation.

However, an attacker who is able to cause a specially named ssh configuration file to be placed in the current working directory can smuggle in an -F option referencing the file, and this allows arbitrary command execution.

This scenario is especially plausible because programs that operate on git repositories are often run in untrusted git repositories, sometimes even to operate on another repository. Situations where this is likely, such that an attacker could predict or arrange it, may for some applications include a malicious repository with a malicious submodule configuration.

Other avenues of exploitation exist, but appear to be less severe. For example, the -E option can be smuggled to create or append to a file in the current directory (or its target, if it is a symlink). There may also be other significant ways to exploit this that have not yet been discovered, or that would arise with new options in future versions of ssh.

PoC

To reproduce the known case that facilitates arbitrary code execution, first create a file in the current directory named configfile@example.com, of the form

text ProxyCommand payload

where payload is a command with an observable side effect. On Unix-like systems, this could be date | tee vulnerable or an xdg-open, open, or other command command to launch a graphical application. On Windows, this could be the name of a graphical application already in the search path, such as calc.exe.

(Although the syntax permitted in the value of ProxyCommand may vary by platform, this is not limited to running commands in the current directory. That limitation only applies to paths directly smuggled in the username, not to the contents of a separate malicious configuration file. Arbitrary other settings may be specified in configfile@example.com as well.)

Then run:

sh gix clone 'ssh://-Fconfigfile@example.com/abc'

Or:

sh gix clone -- '-Fconfigfile@example.com:abc/def'

(The -- is required to ensure that gix is really passing the argument as a URL for use in gix-transport, rather than interpreting it as an option itself, which would not necessarily be a vulnerability.)

In either case, the payload specified in configfile@example.com runs, and its side effect can be observed.

Other cases may likewise be produced, in either of the above two forms of SSH addresses. For example, to create or append to the file errors@example.com, or to create or append to its target if it is a symlink:

sh gix clone 'ssh://-Eerrors@example.com/abc'

sh gix clone -- '-Eerrors@example.com:abc/def'

Impact

As in https://github.com/advisories/GHSA-rrjw-j4m2-mf34, this would typically require user interaction to trigger an attempt to clone or otherwise connect using the malicious URL. Furthermore, known means of exploiting this vulnerability to execute arbitrary commands require further preparatory steps to establish a specially named file in the current directory. The impact is therefore expected to be lesser, though it is difficult to predict it with certainty because it is not known exactly what scenarios will arise when using the gix-transport library.

Users who use applications that make use of gix-transport are potentially vulnerable, especially:

On repositories with submodules that are automatically added, depending how the application manages submodules.
When operating on other repositories from inside an untrusted repository.
When reviewing contributions from untrusted developers by checking out a branch from an untrusted fork and performing clones from that location.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "gix-transport"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.42.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "gix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.62"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "gitoxide"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.35"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-32884"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77",
      "CWE-88"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-15T19:33:03Z",
    "nvd_published_at": "2024-04-26T18:15:46Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\n`gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs.\n\n### Details\n\nThis is related to the patched vulnerability https://github.com/advisories/GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. Since https://github.com/Byron/gitoxide/pull/1032, `gix-transport` checks the host and path portions of a URL for text that has a `-` in a position that will cause `ssh` to interpret part of all of the URL as an option argument. But it does not check the non-mandatory username portion of the URL.\n\nAs in Git, when an address is a URL of the form `ssh://username@hostname/path`, or when it takes the special form `username@hostname:dirs/repo`, this is treated as an SSH URL. `gix-transport` will replace some characters in `username` with their `%`-based URL encodings, but otherwise passes `username@hostname` as an argument to the external `ssh` command. This happens even if `username` begins with a hyphen. In that case, `ssh` treats that argument as an option argument, and attempts to interpret and honor it as a sequence of one or more options possibly followed by an operand for the last option.\n\nThis is harder to exploit than GHSA-rrjw-j4m2-mf34, because the possibilities are constrained by:\n\n- The difficulty of forming an option argument `ssh` accepts, given that characters such as `=`, `/`, and `\\`, are URL-encoded, `:` is removed, and the argument passed to `ssh` contains the `@` sign and subsequent host identifier, which in an effective attack must be parseable as a suffix of the operand passed to the last option.\n\n  The inability to include a literal `=` prevents the use of `-oNAME=VALUE` (e.g., `-oProxyCommand=payload`). The inability to include a literal `/` or `\\` prevents smuggling in a path operand residing outside the current working directory, incuding on Windows. (Although a `~` character may be smuggled in, `ssh` does not perform its own tilde expansion, so it does not form an absolute path.)\n\n- The difficulty, or perhaps impossibility, of completing a connection (other than when arbitrary code execution has been achieved). This complicates or altogether prevents the use of options such as `-A` and `-X` together with a connection to a real but malicious server. The reason a connection cannot generally be completed when exploiting this vulnerability is that, because the argument `gix-transport` intends as a URL is treated as an option argument, `ssh` treats the subsequent non-option argument `git-upload-pack` as the host instead of the command, but it is not a valid host name.\n\n  Although `ssh` supports aliases for hosts, even if `git-upload-pack` could be made an alias, that is made difficult by the URL-encoding transformation.\n\nHowever, an attacker who is able to cause a specially named `ssh` configuration file to be placed in the current working directory can smuggle in an `-F` option referencing the file, and this allows arbitrary command execution.\n\nThis scenario is especially plausible because programs that operate on git repositories are often run in untrusted git repositories, sometimes even to operate on another repository. Situations where this is likely, such that an attacker could predict or arrange it, may for some applications include a malicious repository with a malicious submodule configuration.\n\nOther avenues of exploitation exist, but appear to be less severe. For example, the `-E` option can be smuggled to create or append to a file in the current directory (or its target, if it is a symlink). There may also be other significant ways to exploit this that have not yet been discovered, or that would arise with new options in future versions of `ssh`.\n\n### PoC\n\nTo reproduce the known case that facilitates arbitrary code execution, first create a file in the current directory named `configfile@example.com`, of the form\n\n```text\nProxyCommand payload\n```\n\nwhere `payload` is a command with an observable side effect. On Unix-like systems, this could be `date | tee vulnerable` or an `xdg-open`, `open`, or other command command to launch a graphical application. On Windows, this could be the name of a graphical application already in the search path, such as `calc.exe`.\n\n(Although the syntax permitted in the value of `ProxyCommand` may vary by platform, this is not limited to running commands in the current directory. That limitation only applies to paths directly smuggled in the username, not to the contents of a separate malicious configuration file. Arbitrary other settings may be specified in `configfile@example.com` as well.)\n\nThen run:\n\n```sh\ngix clone \u0027ssh://-Fconfigfile@example.com/abc\u0027\n```\n\nOr:\n\n```sh\ngix clone -- \u0027-Fconfigfile@example.com:abc/def\u0027\n```\n\n(The `--` is required to ensure that `gix` is really passing the argument as a URL for use in `gix-transport`, rather than interpreting it as an option itself, which would not necessarily be a vulnerability.)\n\nIn either case, the payload specified in `configfile@example.com` runs, and its side effect can be observed.\n\nOther cases may likewise be produced, in either of the above two forms of SSH addresses. For example, to create or append to the file `errors@example.com`, or to create or append to its target if it is a symlink:\n\n```sh\ngix clone \u0027ssh://-Eerrors@example.com/abc\u0027\n```\n\n```sh\ngix clone -- \u0027-Eerrors@example.com:abc/def\u0027\n```\n\n### Impact\n\nAs in https://github.com/advisories/GHSA-rrjw-j4m2-mf34, this would typically require user interaction to trigger an attempt to clone or otherwise connect using the malicious URL. Furthermore, known means of exploiting this vulnerability to execute arbitrary commands require further preparatory steps to establish a specially named file in the current directory. The impact is therefore expected to be lesser, though it is difficult to predict it with certainty because it is not known exactly what scenarios will arise when using the `gix-transport` library.\n\nUsers who use applications that make use of `gix-transport` are potentially vulnerable, especially:\n\n- On repositories with submodules that are automatically added, depending how the application manages submodules.\n- When operating on other repositories from inside an untrusted repository.\n- When reviewing contributions from untrusted developers by checking out a branch from an untrusted fork and performing clones from that location.\n",
  "id": "GHSA-98p4-xjmm-8mfh",
  "modified": "2024-07-05T18:07:37Z",
  "published": "2024-04-15T19:33:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32884"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Byron/gitoxide"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0335.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "gix-transport indirect code execution via malicious username"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-32884 (GCVE-0-2024-32884)

Vulnerability from cvelistv5

fkie_cve-2024-32884

Vulnerability from fkie_nvd

gsd-2024-32884

Vulnerability from gsd

ghsa-98p4-xjmm-8mfh

Vulnerability from github

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature