{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-35186", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-10T14:24:24.340Z", "datePublished": "2024-05-23T08:55:20.653Z", "dateUpdated": "2024-08-02T03:07:46.876Z"}, "containers": {"cna": {"title": "gix traversal outside working tree enables arbitrary code execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "lang": "en", "description": "CWE-23: Relative Path Traversal", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Byron/gitoxide/security/advisories/GHSA-7w47-3wg8-547c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-7w47-3wg8-547c"}], "affected": [{"vendor": "Byron", "product": "gitoxide", "versions": [{"version": "< 0.36.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-23T08:55:20.653Z"}, "descriptions": [{"lang": "en", "value": "gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads to a major loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well. This vulnerability has been patched in version(s) 0.36.0."}], "source": {"advisory": "GHSA-7w47-3wg8-547c", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-35186", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-23T17:34:38.737689Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:byron:gitoxide:*:*:*:*:*:*:*:*"], "vendor": "byron", "product": "gitoxide", "versions": [{"status": "affected", "version": "0", "lessThan": "0.36.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:34:36.271Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:07:46.876Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/Byron/gitoxide/security/advisories/GHSA-7w47-3wg8-547c", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-7w47-3wg8-547c"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-7w47-3wg8-547c", "name": "https://github.com/Byron/gitoxide/security/advisories/GHSA-7w47-3wg8-547c", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:07:46.876Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-35186", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-23T17:34:38.737689Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:byron:gitoxide:*:*:*:*:*:*:*:*"], "vendor": "byron", "product": "gitoxide", "versions": [{"status": "affected", "version": "0", "lessThan": "0.36.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T17:24:37.853Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "gix traversal outside working tree enables arbitrary code execution", "source": {"advisory": "GHSA-7w47-3wg8-547c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Byron", "product": "gitoxide", "versions": [{"status": "affected", "version": "< 0.36.0"}]}], "references": [{"url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-7w47-3wg8-547c", "name": "https://github.com/Byron/gitoxide/security/advisories/GHSA-7w47-3wg8-547c", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads to a major loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well. This vulnerability has been patched in version(s) 0.36.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-23", "description": "CWE-23: Relative Path Traversal"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-23T08:55:20.653Z"}}}, "cveMetadata": {"cveId": "CVE-2024-35186", "state": "PUBLISHED", "dateUpdated": "2024-08-02T03:07:46.876Z", "dateReserved": "2024-05-10T14:24:24.340Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-23T08:55:20.653Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads to a major loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well. This vulnerability has been patched in version(s) 0.36.0."}, {"lang": "es", "value": "gitoxide es una implementaci\u00f3n Rust pura de Git. Durante el pago, `gix-worktree-state` no verifica que las rutas apunten a ubicaciones en el \u00e1rbol de trabajo. Un repositorio especialmente manipulado puede, cuando se clona, colocar archivos nuevos en cualquier lugar donde la aplicaci\u00f3n pueda escribirlos. Esta vulnerabilidad provoca una p\u00e9rdida importante de confidencialidad, integridad y disponibilidad, pero la creaci\u00f3n de archivos fuera de un \u00e1rbol de trabajo sin intentar ejecutar c\u00f3digo tambi\u00e9n puede afectar directamente la integridad. Esta vulnerabilidad ha sido parcheada en las versiones 0.36.0."}], "id": "CVE-2024-35186", "lastModified": "2024-05-24T01:15:30.977", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-23T09:15:09.620", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-7w47-3wg8-547c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-23"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}