Lucene search

K
cvelistGitHub_MCVELIST:CVE-2024-35197
HistoryMay 23, 2024 - 12:09 p.m.

CVE-2024-35197 gix refs and paths with reserved Windows device names access the devices

2024-05-2312:09:09
CWE-67
GitHub_M
www.cve.org
gitoxide
cve-2024-35197
windows
legacy device names
arbitrary data

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

0.0004 Low

EPSS

Percentile

9.0%

gitoxide is a pure Rust implementation of Git. On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances. If Windows is not used, or untrusted repositories are not cloned or otherwise used, then there is no impact. A minor degradation in availability may also be possible, such as with a very large file named CON, though the user could interrupt the application.

CNA Affected

[
  {
    "vendor": "Byron",
    "product": "gitoxide",
    "versions": [
      {
        "version": "< 0.36.0",
        "status": "affected"
      }
    ]
  }
]

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

0.0004 Low

EPSS

Percentile

9.0%

Related for CVELIST:CVE-2024-35197