AZL-40229

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-40229.json

JSON Data

https://api.osv.dev/v1/vulns/AZL-40229

Upstream

CVE-2024-32884

Published

2024-04-26T18:15:46Z

Modified

2026-04-21T04:28:57.405910Z

Summary

CVE-2024-32884 affecting package rust for versions less than 1.75.0-9

Details

gitoxide is a pure Rust implementation of Git. gix-transport does not check the username part of a URL for text that the external ssh program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. This issue has been patched in versions 0.35.0, 0.42.0 and 0.62.0.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-32884

Affected packages

Azure Linux:3 / rust

Package

Name: rust
Purl: pkg:rpm/azure-linux/rust

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.75.0-9

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-40229.json"