CVE-2024-51990

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-51990
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-51990.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-51990
Aliases
Downstream
Related
Published
2024-11-07T00:15:17.443Z
Modified
2026-04-10T05:19:28.909677Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Path traversal via crafted Git repositories in jj
Details

jj, or Jujutsu, is a Git-compatible VCS written in rust. In affected versions specially crafted Git repositories can cause jj to write files outside the clone. This issue has been addressed in version 0.23.0. Users are advised to upgrade. Users unable to upgrade should avoid cloning repos from unknown sources.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/51xxx/CVE-2024-51990.json",
    "cwe_ids": [
        "CWE-22"
    ]
}
References

Affected packages

Git / github.com/martinvonz/jj

Affected ranges

Type
GIT
Repo
https://github.com/martinvonz/jj
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
5de285f5eb727b613434979cd9d83c30cabaffae
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.23.0"
        }
    ]
}

Affected versions

v0.*
v0.10.0
v0.11.0
v0.12.0
v0.13.0
v0.14.0
v0.15.0
v0.15.1
v0.16.0
v0.17.0
v0.18.0
v0.19.0
v0.20.0
v0.21.0
v0.22.0
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.4.0
v0.5.0
v0.5.1
v0.6.0
v0.6.1
v0.7.0
v0.8.0
v0.9.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-51990.json"