CVE-2024-40644

Name of the Vulnerable Software and Affected Versions gitoxide versions 0.10.8

Description The issue arises from gix-path being tricked into running another git.exe placed in an untrusted location by a limited user account on Windows systems. Windows permits limited user accounts to create new directories in the root of the system drive. While gix-path first looks for git using a PATH search, in version 0.10.8 it also checks two hard-coded paths intended to be the 64-bit and 32-bit Program Files directories. This causes facilities in gix path::env to directly execute git.exe in those locations. The main problem arises on a 32-bit Windows system, where a limited user can create the C:Program Files (x86) directory and populate it with arbitrary contents. Once a payload has been placed at the second of the two hard-coded paths, other user accounts, including administrators, will execute it if they run an application that uses gix-path and do not have git in a PATH directory.

Recommendations To resolve the issue for gitoxide version 0.10.8, upgrade to release version 0.10.9, as this issue has been addressed in this version. There are no known workarounds for this vulnerability.