CVE-2024-35186

Name of the Vulnerable Software and Affected Versions gitoxide versions prior to 0.36.0

Description During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads to a major loss of confidentiality, integrity, and availability. Creating files outside a working tree without attempting to execute code can directly impact integrity as well. The issue arises from the lack of verification by gix-worktree-state and inadequate path checks in gix-fs and gix-worktree. This allows for arbitrary code execution through the placement of files in locations where they are likely to be executed soon, such as by installing hooks in a .git directory.

Recommendations Update to version 0.36.0 or later to patch the vulnerability. As a temporary workaround, consider restricting the use of gix-worktree-state and gix-fs to prevent the exploitation of this vulnerability until a patch is applied. Avoid cloning untrusted repositories to minimize the risk of exploitation.