Vulners
Lucene search
Linux Distros Unpatched Vulnerability : CVE-2024-45405
| Reporter | Title | Published | Views | Family All 39 |
|---|---|---|---|---|
 | CVE-2024-45405 vulnerabilities | 6 Sep 202413:15 | – | cgr |
 | CVE-2024-45405 | 6 Sep 202405:50 | – | circl |
 | gitoxide 安全漏洞 | 6 Sep 202400:00 | – | cnnvd |
 | CVE-2024-45405 | 6 Sep 202413:10 | – | cve |
 | CVE-2024-45405 gix-path improperly resolves configuration path reported by Git | 6 Sep 202413:10 | – | cvelist |
 | CVE-2024-45405 | 6 Sep 202413:10 | – | debiancve |
 | EUVD-2024-2833 | 3 Oct 202520:07 | – | euvd |
 | gix-path improperly resolves configuration path reported by Git | 6 Sep 202419:55 | – | github |
 | CVE-2024-45405 | 6 Sep 202413:15 | – | nvd |
 | onefetch-2.22.0-1.1 on GA media (moderate) | 22 Sep 202400:00 | – | opensuse |
10
| Source | Link |
|---|---|
| ubuntu | www.ubuntu.com/security/CVE-2024-45405 |
| cve | www.cve.mitre.org/cgi-bin/cvename.cgi |
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(256375);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2025/08/27");
script_cve_id("CVE-2024-45405");
script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2024-45405");
script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.
- `gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths
and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration
file associated with the `git` installation, but improperly resolves paths containing unusual or non-ASCII
characters, in rare cases enabling a local attacker to inject configuration leading to code execution.
Version 0.10.11 contains a patch for the issue. In `gix_path::env`, the underlying implementation of the
`installation_config` and `installation_config_prefix` functions calls `git config -l --show-origin` to
find the path of a file to treat as belonging to the `git` installation. Affected versions of `gix-path`
do not pass `-z`/`--null` to cause `git` to report literal paths. Instead, to cover the occasional case
that `git` outputs a quoted path, they attempt to parse the path by stripping the quotation marks. The
problem is that, when a path is quoted, it may change in substantial ways beyond the concatenation of
quotation marks. If not reversed, these changes can result in another valid path that is not equivalent to
the original. On a single-user system, it is not possible to exploit this, unless `GIT_CONFIG_SYSTEM` and
`GIT_CONFIG_GLOBAL` have been set to unusual values or Git has been installed in an unusual way. Such a
scenario is not expected. Exploitation is unlikely even on a multi-user system, though it is plausible in
some uncommon configurations or use cases. In general, exploitation is more likely to succeed if users are
expected to install `git` themselves, and are likely to do so in predictable locations; locations where
`git` is installed, whether due to usernames in their paths or otherwise, contain characters that `git`
quotes by default in paths, such as non-English letters and accented letters; a custom `system`-scope
configuration file is specified with the `GIT_CONFIG_SYSTEM` environment variable, and its path is in an
unusual location or has strangely named components; or a `system`-scope configuration file is absent,
empty, or suppressed by means other than `GIT_CONFIG_NOSYSTEM`. Currently, `gix-path` can treat a
`global`-scope configuration file as belonging to the installation if no higher scope configuration file
is available. This increases the likelihood of exploitation even on a system where `git` is installed
system-wide in an ordinary way. However, exploitation is expected to be very difficult even under any
combination of those factors. (CVE-2024-45405)
Note that Nessus relies on the presence of the package as reported by the vendor.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2024-45405");
script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
script_set_attribute(attribute:"agent", value:"unix");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-45405");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vendor_unpatched", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/09/06");
script_set_attribute(attribute:"plugin_publication_date", value:"2025/08/27");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:24.04:-:lts");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:rust-gix-path");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
script_require_ports("Host/OS/Ubuntu Linux-24.04");
exit(0);
}
if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);
include('linux_unpatched.inc');
var distro_constraints_array = {
"Ubuntu Linux-24.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "24.04",
"pkgs": [
{"reference": "rust-gix-path"}
]
}
]
}
};
var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);
if (!empty_or_null(report))
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : report
);
exit(0);
}
else
{
audit(AUDIT_HOST_NOT, 'affected');
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Aug 2025 00:00Current
5.6Medium risk
Vulners AI Score5.6
CVSS 3.16
EPSS0.00072
SSVC