CVE-2024-45405

Name of the Vulnerable Software and Affected Versions: gix-path versions prior to 0.10.11

Description: The issue concerns the improper resolution of paths containing unusual or non-ASCII characters by gix-path, which can enable a local attacker to inject configuration leading to code execution in rare cases. This occurs when gix-path attempts to find the path of a configuration file associated with the git installation using git config -l --show-origin. The problem arises because affected versions of gix-path do not pass -z/--null to cause git to report literal paths, instead attempting to parse quoted paths by stripping quotation marks, which can result in another valid but non-equivalent path. Exploitation is unlikely on single-user systems unless git has been installed in an unusual way, and it is also unlikely on multi-user systems, though plausible in uncommon configurations or use cases.

Recommendations: For versions prior to 0.10.11, update to version 0.10.11 or later to resolve the issue. As a temporary workaround, consider restricting the use of the installation config and installation config prefix functions in gix path::env until a patch is applied. Avoid using custom system-scope configuration files with unusual paths or names, and ensure that git is installed in a standard location to minimize the risk of exploitation.