CVE-2024-35186
📋 TL;DR
This vulnerability in gitoxide's gix-worktree-state allows attackers to place files anywhere writable by the application during checkout. It affects users who clone untrusted repositories with vulnerable versions of gitoxide. The impact includes potential file system manipulation and integrity compromise.
💻 Affected Systems
- gitoxide
- gix-worktree-state
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could overwrite critical system files, configuration files, or place malicious executables in trusted locations, potentially leading to system compromise or data loss.
Likely Case
Attackers could place malicious files in user directories, configuration locations, or other writable paths to establish persistence or manipulate application behavior.
If Mitigated
With proper access controls and sandboxing, impact is limited to the application's sandbox or user's home directory.
🎯 Exploit Status
Exploitation requires cloning a malicious repository. No authentication needed beyond repository access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.36.0
Vendor Advisory: https://github.com/Byron/gitoxide/security/advisories/GHSA-7w47-3wg8-547c
Restart Required: No
Instructions:
1. Update gitoxide to version 0.36.0 or later. 2. For Rust projects, update Cargo.toml dependency to 'gix-worktree-state = "^0.36.0"'. 3. Run 'cargo update' to fetch the patched version.
🔧 Temporary Workarounds
Avoid cloning untrusted repositories
allOnly clone repositories from trusted sources until patched
Run gitoxide with restricted permissions
linuxRun gitoxide with minimal file system permissions using sandboxing
firejail --noprofile gitoxide clone [repo]
bubblewrap --ro-bind / / --dev-bind /dev /dev --tmpfs /tmp gitoxide clone [repo]
🧯 If You Can't Patch
- Implement strict repository source validation and only clone from trusted sources
- Run gitoxide in a container or VM with restricted file system access
🔍 How to Verify
Check if Vulnerable:
Check if gix-worktree-state version is below 0.36.0 in Cargo.lock or by running 'cargo tree | grep gix-worktree-state'Check Version:
grep 'gix-worktree-state' Cargo.lock | head -1Verify Fix Applied:
Verify gix-worktree-state version is 0.36.0 or higher in Cargo.lock📡 Detection & Monitoring
Log Indicators:
- Unusual file creation outside expected working tree directories during git operations
- Repository clones from unknown or suspicious sources
Network Indicators:
- Git clone operations from untrusted or unknown repositories
SIEM Query:
process.name:"gitoxide" AND file.create.path:!"*/.git/*" AND file.create.path:!"*/working_tree/*"