CVE-2024-35186

Publication date 23 May 2024

Last updated 11 July 2025


Ubuntu priority

Cvss 3 Severity Score

8.8 · High

Score breakdown

gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads to a major loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well. This vulnerability has been patched in version(s) 0.36.0.

Status

Package Ubuntu Release Status
rust-gix-fs 25.04 plucky
Not affected
24.10 oracular Ignored end of life, was needs-triage
24.04 LTS noble
Needs evaluation
22.04 LTS jammy Not in release
20.04 LTS focal Not in release
rust-gix-index 25.04 plucky
Not affected
24.10 oracular Ignored end of life, was needs-triage
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
20.04 LTS focal Not in release
rust-gix-worktree 25.04 plucky
Not affected
24.10 oracular Ignored end of life, was needs-triage
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
20.04 LTS focal Not in release

Severity score breakdown

Parameter Value
Base score 8.8 · High
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H