137 matches found
gitoxide - Command Injection via Partial .gitmodules Override in gix-submodule
...
SUSE CVE-2026-40034
gix-submodule before 0.29.0 gitoxide before 0.5.21, gix before 0.84.0 incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration guard when a submodule has been initialized with only partial configuration in .git/config. An...
Linux Distros Unpatched Vulnerability : CVE-2026-40034
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - gix-submodule before 0.29.0 gitoxide before 0.5.21, gix before 0.84.0 incorrectly validates the update field in .gitmodules, allowing attackers to bypass the...
CVE-2026-40034
gix-submodule before 0.29.0 gitoxide before 0.5.21, gix before 0.84.0 incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration guard when a submodule has been initialized with only partial configuration in .git/config. An...
CVE-2026-40034
gix-submodule before 0.82.0 incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration guard when a submodule has been initialized with only partial configuration in .git/config. An attacker can inject arbitrary shell commands vi...
UBUNTU-CVE-2026-40034
gix-submodule before 0.29.0 gitoxide before 0.5.21, gix before 0.84.0 incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration guard when a submodule has been initialized with only partial configuration in .git/config. An...
CVE-2026-40034 gitoxide - Command Injection via Partial .gitmodules Override in gix-submodule
gix-submodule before 0.29.0 gitoxide before 0.5.21, gix before 0.84.0 incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration guard when a submodule has been initialized with only partial configuration in .git/config. An...
EUVD-2026-31831
gix-submodule before 0.82.0 incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration guard when a submodule has been initialized with only partial configuration in .git/config. An attacker can inject arbitrary shell commands vi...
CVE-2026-40034
CVE-2026-40034 affects gix-submodule (gitoxide) prior to 0.82.0. The vulnerability arises because update in .gitmodules is not properly validated, allowing an attacker who has initialized a submodule with partial configuration in .git/config to bypass the CommandForbiddenInModulesConfiguration gu...
PT-2026-43251
Name of the Vulnerable Software and Affected Versions gix-submodule versions prior to 0.29.0 gitoxide versions prior to 0.5.21 gix versions prior to 0.84.0 Description Incorrect validation of the update field in .gitmodules allows attackers to bypass the CommandForbiddenInModulesConfiguration gua...
Fedora 45 : helix / rust-asyncgit / rust-cargo / rust-cargo-deny / rust-dua-cli / etc (2026-a843eb2666)
The remote Fedora 45 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2026-a843eb2666 advisory. Update gix to version 0.83 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested...
endringer (>=0.1.0 <=0.7.1) potentially affected by unknown CVE via gix (=0.0.0)
gix CARGO version =0.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on gix and may be impacted: - endringer =0.1.0, =0.7.1 Source cves: unknown CVE Source advisory: OSV:GHSA-FR8X-3VFX-F45H...
endringer (>=0.1.0 <=0.7.1) potentially affected by unknown CVE via gix (=0.0.0)
gix CARGO version =0.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on gix and may be impacted: - endringer =0.1.0, =0.7.1 Source cves: unknown CVE Source advisory: OSV:GHSA-PG4W-G64P-QWHJ...
GHSA-X494-MJ8G-CJ27 gix-pack has multiple DoS vectors: unchecked indexing panics and uncapped OOM allocations from crafted pack data
Summary Multiple denial-of-service vectors in gix-pack: unchecked array indexing causes panics on crafted delta data, and uncapped attacker-controlled size headers enable OOM process kills. Both are triggered by malicious pack data received during clone/fetch. Details Bug 1: Unchecked array...
gix-pack has multiple DoS vectors: unchecked indexing panics and uncapped OOM allocations from crafted pack data
Summary Multiple denial-of-service vectors in gix-pack: unchecked array indexing causes panics on crafted delta data, and uncapped attacker-controlled size headers enable OOM process kills. Both are triggered by malicious pack data received during clone/fetch. Details Bug 1: Unchecked array...
endringer (>=0.1.0 <=0.7.1) potentially affected by unknown CVE via gix (=0.0.0)
gix CARGO version =0.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on gix and may be impacted: - endringer =0.1.0, =0.7.1 Source cves: unknown CVE Source advisory: OSV:GHSA-P3HW-MV63-RF9W...
PT-2026-38897
Summary Multiple denial-of-service vectors in gix-pack: unchecked array indexing causes panics on crafted delta data, and uncapped attacker-controlled size headers enable OOM process kills. Both are triggered by malicious pack data received during clone/fetch. Details Bug 1: Unchecked array...
Medium: rust
Issue Overview: A flaw in the gix-date library can generate invalid non-UTF8 strings, leading to undefined behavior when processed. The most likely impact from a successful attack is to data integrity, by the malicious data being able to corrupt data being hold in memory and to system availabilit...
Amazon Linux 2 : rust, --advisory ALAS2-2026-3246 (ALAS-2026-3246)
The version of rust installed on the remote host is prior to 1.94.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3246 advisory. A flaw in the gix-date library can generate invalid non-UTF8 strings, leading to undefined behavior when processed. The most...
Medium: rust
Issue Overview: A flaw in the gix-date library can generate invalid non-UTF8 strings, leading to undefined behavior when processed. The most likely impact from a successful attack is to data integrity, by the malicious data being able to corrupt data being hold in memory and to system availabilit...