CVE-2024-35197— gix refs and paths with reserved Windows device names access the devices
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-35197
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
gix refs and paths with reserved Windows device names access the devices
Source: NVD (National Vulnerability Database)
Vulnerability Description
gitoxide is a pure Rust implementation of Git. On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances. If Windows is not used, or untrusted repositories are not cloned or otherwise used, then there is no impact. A minor degradation in availability may also be possible, such as with a very large file named `CON`, though the user could interrupt the application.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
Windows设备名处理不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
gitoxide 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
gitoxide是Sebastian Thiel个人开发者的一个用 Rust 编写的 git 实现。 gitoxide 0.36.0之前版本存在安全漏洞,该漏洞源于通过获取与旧设备名称冲突的引用可以将任意数据写入设备。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-35197
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-35197
请登录查看更多情报信息。
- https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9x_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2024-35197
IV. Related Vulnerabilities
Same product: gitoxide
- CVE-2026-0810
Gix-date: gix-date: undefined behavior due to invalid string - CVE-2025-31130
gitoxide does not detect SHA-1 collision attacks - CVE-2025-22620
gix-worktree-state nonexclusive checkout sets executable fil - CVE-2024-45405
gix-path improperly resolves configuration path reported by - CVE-2024-45305
gix-path uses local config across repos when it is the highe
Same vendor: Byron
- CVE-2024-45405
gix-path improperly resolves configuration path reported by - CVE-2024-45305
gix-path uses local config across repos when it is the highe - CVE-2024-43785
gitoxide-core does not neutralize special characters for ter - CVE-2024-40644
gitoxide's gix-path can use a fake program files location - CVE-2024-35186
gix traversal outside working tree enables arbitrary code ex
Same weakness: CWE-67
V. Comments for CVE-2024-35197
No comments yet