CVE-2024-40644
📋 TL;DR
This vulnerability in gitoxide's gix-path component allows limited Windows users to escalate privileges by placing a malicious git.exe in a hard-coded Program Files directory path. It affects Windows systems where git is not in PATH, particularly 32-bit systems where attackers can create the non-existent 'Program Files (x86)' directory. The issue enables arbitrary code execution as other users who run applications using gix-path.
💻 Affected Systems
- gitoxide gix-path component
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Limited user achieves privilege escalation to administrator or other user accounts, executing arbitrary code with elevated privileges.
Likely Case
Limited user executes code as another user in specific configurations where git is not in PATH, potentially gaining access to sensitive data or performing lateral movement.
If Mitigated
No impact if git is properly installed in PATH or systems are patched to version 0.10.9+.
🎯 Exploit Status
Requires attacker to have limited user account on target system and specific configuration conditions. Exploitation window is narrow but possible in targeted environments.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.10.9
Vendor Advisory: https://github.com/Byron/gitoxide/security/advisories/GHSA-mgvv-9p9g-3jv4
Restart Required: No
Instructions:
1. Update gitoxide to version 0.10.9 or later. 2. For Rust projects using gitoxide as dependency, update Cargo.toml to specify 'gix-path = "^0.10.9"'. 3. Run 'cargo update' to fetch the patched version.
🔧 Temporary Workarounds
Ensure git is in PATH
windowsAdd legitimate git installation directory to system PATH environment variable
setx PATH "%PATH%;C:\Program Files\Git\cmd"
setx PATH "%PATH%;C:\Program Files (x86)\Git\cmd"
Restrict directory creation
windowsPrevent limited users from creating directories in system drive root
icacls C:\ /deny "Users":(OI)(CI)W
🧯 If You Can't Patch
- Ensure git is properly installed and present in system PATH for all users
- Monitor for unauthorized directory creation in C:\ root and Program Files directories
🔍 How to Verify
Check if Vulnerable:
Check gix-path version in Cargo.lock or run 'cargo tree | grep gix-path' to see if version 0.10.8 is presentCheck Version:
cargo tree | grep gix-pathVerify Fix Applied:
Verify gix-path version is 0.10.9 or higher using 'cargo tree | grep gix-path'📡 Detection & Monitoring
Log Indicators:
- Unexpected git.exe execution from non-standard Program Files paths
- Directory creation events in C:\ root by limited users
Network Indicators:
- None - local privilege escalation only
SIEM Query:
EventID=4688 AND ProcessName="git.exe" AND (ImagePath="C:\\Program Files (x86)\\*" OR ImagePath="C:\\Program Files\\mingw64\\*")🔗 References
- https://github.com/Byron/gitoxide/blob/6cd8b4665bb7582f744c3244abaef812be39ec35/gix-path/src/env/git.rs#L9-L14
- https://github.com/Byron/gitoxide/commit/15235bf7968042da0493d431bbc955d6f9f54188
- https://github.com/Byron/gitoxide/security/advisories/GHSA-mgvv-9p9g-3jv4
- https://github.com/Byron/gitoxide/blob/6cd8b4665bb7582f744c3244abaef812be39ec35/gix-path/src/env/git.rs#L9-L14
- https://github.com/Byron/gitoxide/commit/15235bf7968042da0493d431bbc955d6f9f54188
- https://github.com/Byron/gitoxide/security/advisories/GHSA-mgvv-9p9g-3jv4
