{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/gix-vulnerable--0.83.0/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["gix (vulnerable: \u003c 0.83.0)","gix-validate (vulnerable: \u003c= 0.10.0)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","credential-disclosure","git"],"_cs_type":"advisory","_cs_vendors":["rust"],"content_html":"\u003cp\u003eA path traversal vulnerability exists within the gix library, specifically affecting applications that utilize git submodules. This flaw stems from inadequate validation of submodule names, allowing an attacker to craft a malicious \u003ccode\u003e.gitmodules\u003c/code\u003e file containing directory traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e). The vulnerability is amplified by a trust inheritance issue where submodule repositories inherit the \u003ccode\u003egit_dir_trust\u003c/code\u003e setting from their parent, bypassing ownership checks. Successful exploitation allows an attacker to read sensitive configuration files, potentially including credentials, from arbitrary git directories. This vulnerability affects gix versions prior to 0.83.0 and gix-validate versions 0.10.0 and earlier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious git repository with a specially crafted \u003ccode\u003e.gitmodules\u003c/code\u003e file containing path traversal sequences in the submodule name (e.g., \u003ccode\u003ex..y/../../..\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eA victim clones the attacker\u0026rsquo;s repository using a tool built on the vulnerable gitoxide library (gix).\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s tool iterates through the submodules, potentially triggered by commands like \u003ccode\u003esubmodule.open()\u003c/code\u003e or \u003ccode\u003esubmodule.status()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egit_dir()\u003c/code\u003e function, due to insufficient validation, constructs a path that traverses outside the intended submodule directory (e.g., resolving to the parent \u003ccode\u003e.git/\u003c/code\u003e directory).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eopen_opts()\u003c/code\u003e function is called with \u003ccode\u003eTrust::Full\u003c/code\u003e inherited from the parent repository, skipping ownership checks.\u003c/li\u003e\n\u003cli\u003eThe library opens the traversed path (e.g., the parent\u0026rsquo;s \u003ccode\u003e.git/config\u003c/code\u003e file) as a trusted repository.\u003c/li\u003e\n\u003cli\u003eThe attacker can then access sensitive configuration values, such as \u003ccode\u003eremote.origin.url\u003c/code\u003e, \u003ccode\u003ehttp.extraHeader\u003c/code\u003e (containing tokens), \u003ccode\u003ecredential.*\u003c/code\u003e sections, and \u003ccode\u003ecore.sshCommand\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the exposed credentials via standard API calls, such as \u003ccode\u003erepo.config_snapshot().string(\u0026quot;http.extraHeader\u0026quot;)\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability enables an attacker to read sensitive configuration files from arbitrary git repositories accessible to the vulnerable application. This includes potential disclosure of credentials such as tokens embedded in URLs or HTTP headers, SSH keys, and other sensitive information. The impact is high due to the potential for lateral movement and further compromise within the victim\u0026rsquo;s environment. This is similar to GHSA-7w47-3wg8-547c.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the suggested fix by patching the gix and gix-validate libraries to version 0.83.0 or later to resolve the validation bypass and trust inheritance issues.\u003c/li\u003e\n\u003cli\u003eImplement a detection rule for process creation events where a git command is executed with a submodule path containing directory traversal sequences (\u003ccode\u003e..\u003c/code\u003e) based on the flawed validation in \u003ccode\u003egix-validate/src/submodule.rs\u003c/code\u003e as described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Git Submodule Path Traversal\u0026rdquo; to identify potential exploitation attempts (see rules section below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-gix-submodule-traversal/","summary":"A vulnerability in gix's submodule name validation allows path traversal via a crafted .gitmodules file, combined with a trust inheritance flaw in Submodule::open(), enabling arbitrary git repository config reading, including credentials, with full trust.","title":"gix Submodule Path Traversal and Credential Disclosure","url":"https://feed.craftedsignal.io/briefs/2024-01-03-gix-submodule-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Gix (Vulnerable: \u003c 0.83.0)","version":"https://jsonfeed.org/version/1.1"}