CVE-2024-45305

Name of the Vulnerable Software and Affected Versions gix-path versions prior to 0.10.10

Description The gix-path crate of the gitoxide project mistakenly treats the local repository's configuration as system-wide if no higher scoped configuration is found. This can cause a less trusted repository to be treated as more trusted, or leak sensitive information from one repository to another, such as sending credentials to another repository's remote. The issue is believed to be very difficult to exploit deliberately, due to the need to anticipate or arrange for the absence of higher-scoped configuration variables. Any operating system may be affected, but users running Apple Git on macOS are much less likely to be affected.

Recommendations To resolve the issue, upgrade to release version 0.10.10 or later. As a temporary workaround, consider setting the GIT CONFIG SYSTEM and GIT CONFIG GLOBAL environment variables to prevent gix-path from finding the path of configuration files for those scopes. Additionally, using a credential manager or setting http.<url>.extraHeader with a specific <url> can help avoid the vulnerability.