The gix-transport crate before 0.36.1 for Rust allows command execution via the "gix clone 'ssh://-oProxyCommand=open$IFS" substring. NOTE: this was discovered before CVE-2024-32884, a similar vulnerability (involving a username field) that is more difficult to exploit.

...

SUSE-SU-2018:1489-1 Security update for bzr

Bzr was updated to fix a security issue: - CVE-2017-14176: Avoid code execution using ssh:// url injection boo1058214...