GHSA-3qx3-6hxr-j2ch
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3qx3-6hxr-j2ch
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-3qx3-6hxr-j2ch/GHSA-3qx3-6hxr-j2ch.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3qx3-6hxr-j2ch
- Aliases
-
- CVE-2024-25817
- Published
- 2024-02-08T18:47:28Z
- Modified
- 2024-03-06T16:12:04.928114Z
- Severity
-
- 8.4 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- eza Potential Heap Overflow Vulnerability for AArch64
- Details
-
Summary
In
eza, there exists a potential heap overflow vulnerability, first seen when using Ubuntu for Raspberry Pi series system, onubuntu-raspikernel, relating to the.gitdirectory.Details
The vulnerability seems to be triggered by the
.gitdirectory in some projects. This issue may be related to specific files, and the directory structure also plays a role in triggering the vulnerability. Files/folders that may be involved in triggering the vulnerability include.git/HEAD,.git/refs, and.git/objects.As @polly pointed out to me, this is likely caused by GHSA-j2v7-4f6v-gpg8, which we do seem to use currently.
PoC
For more information check @CuB3y0nd's blogpost blog.
Impact
Arbitrary code execution.
- References
Affected packages
crates.io / eza
Package
- Name
- eza
- View open source insights on deps.dev
- Purl
- pkg:cargo/eza