U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2024-35186

Change History

New CVE Received by NIST 5/23/2024 5:15:09 AM

Action Type Old Value New Value
Added CVSS V3.1

								
							
							
						
GitHub, Inc. AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Added CWE

								
							
							
						
GitHub, Inc. CWE-23
Added Description

								
							
							
						
gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads to a major loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well. This vulnerability has been patched in version(s) 0.36.0.
Added Reference

								
							
							
						
GitHub, Inc. https://github.com/Byron/gitoxide/security/advisories/GHSA-7w47-3wg8-547c [No types assigned]