{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/gix/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["gix","gitoxide"],"_cs_severities":["high"],"_cs_tags":["path-traversal","git","repository-confusion","supply-chain"],"_cs_type":"advisory","_cs_vendors":["GitoxideLabs"],"content_html":"\u003cp\u003eA path traversal vulnerability has been identified in the gix and gitoxide libraries. The vulnerability stems from the lack of validation of submodule names extracted from the \u003ccode\u003e.gitmodules\u003c/code\u003e file. Specifically, these submodule names are used to construct file paths for accessing submodule Git directories. An attacker can craft a malicious \u003ccode\u003e.gitmodules\u003c/code\u003e file containing a submodule name with path traversal sequences (e.g., \u003ccode\u003e../../../escaped-target.git\u003c/code\u003e). This allows the attacker to redirect \u003ccode\u003estate()\u003c/code\u003e and \u003ccode\u003eopen()\u003c/code\u003e calls to an arbitrary repository outside the intended \u003ccode\u003e.git/modules\u003c/code\u003e directory. This can cause a vulnerable application using these libraries to operate on an unexpected repository, leading to potential security issues. The vulnerability affects gix versions prior to 0.83.0 and gitoxide versions up to and including 0.52.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious \u003ccode\u003e.gitmodules\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003e.gitmodules\u003c/code\u003e file contains a submodule name with path traversal sequences (e.g., \u003ccode\u003e../../../escaped-target.git\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eA vulnerable application using gix or gitoxide parses the malicious \u003ccode\u003e.gitmodules\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe application extracts the unvalidated submodule name from the \u003ccode\u003e.gitmodules\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe application constructs a file path to the submodule\u0026rsquo;s Git directory using the unvalidated name: \u003ccode\u003e\u0026lt;superproject common_dir\u0026gt;/modules/\u0026lt;submodule name\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal sequences in the submodule name, the constructed path escapes the intended \u003ccode\u003e.git/modules\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe application calls \u003ccode\u003estate()\u003c/code\u003e or \u003ccode\u003eopen()\u003c/code\u003e using the escaped path, which leads to an attacker-controlled repository.\u003c/li\u003e\n\u003cli\u003eThe application performs operations (enumeration, inspection, etc.) on the attacker-chosen repository, potentially leading to information disclosure or other unexpected behavior.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability can lead to repository confusion, where a vulnerable application operates on an unintended repository. While the report does not claim direct command execution, the redirection of repository access can have significant consequences. For example, if the application relies on submodule state for access control or other security-sensitive operations, an attacker could potentially bypass these checks by redirecting the application to a controlled repository. The number of victims and sectors affected depend on the adoption of the vulnerable gix and gitoxide libraries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to gix version 0.83.0 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eUpgrade to a version of gitoxide later than 0.52.0, if available (or switch to gix).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Git Submodule Path Traversal in Configuration\u003c/code\u003e to identify potentially malicious \u003ccode\u003e.gitmodules\u003c/code\u003e files based on submodule name patterns.\u003c/li\u003e\n\u003cli\u003eSanitize or validate submodule names before using them to construct file paths, as recommended in the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for suspicious activity related to submodule operations, especially those involving unusual file paths.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-29-git-submodule-path-traversal/","summary":"A path traversal vulnerability exists in gix and gitoxide where unvalidated submodule names from `.gitmodules` can be used to escape the `.git/modules` directory, potentially leading to repository confusion by redirecting submodule state inspection and open operations to attacker-controlled paths.","title":"gix and gitoxide Submodule Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-29-git-submodule-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2019-19604"}],"_cs_exploited":false,"_cs_products":["gix"],"_cs_severities":["high"],"_cs_tags":["code-vulnerability","remote-code-execution","gitoxide"],"_cs_type":"advisory","_cs_vendors":["GitoxideLabs"],"content_html":"\u003cp\u003eA vulnerability exists in gitoxide\u0026rsquo;s \u003ccode\u003egix_submodule::File::update()\u003c/code\u003e function, specifically in versions 0.31.0 to 0.82.0, that allows for arbitrary command execution. The vulnerability arises from an insufficient check on the origin of the \u003ccode\u003eupdate\u003c/code\u003e command specified in a \u003ccode\u003e.gitmodules\u003c/code\u003e file.  An attacker can exploit this by pushing a new commit with a malicious \u003ccode\u003eupdate\u003c/code\u003e command in \u003ccode\u003e.gitmodules\u003c/code\u003e after the victim initializes the submodule.  This bypasses the intended security guard, leading to potential remote command execution in downstream code that relies on \u003ccode\u003eSubmodule::update()\u003c/code\u003e and trusts the safety of \u003ccode\u003eUpdate::Command(_)\u003c/code\u003e. This issue is similar to CVE-2019-19604, highlighting the risk of unchecked commands in submodule configurations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker creates a repository with a benign \u003ccode\u003e.gitmodules\u003c/code\u003e file, containing no \u003ccode\u003eupdate\u003c/code\u003e key.\u003c/li\u003e\n\u003cli\u003eA victim clones the attacker\u0026rsquo;s repository and runs \u003ccode\u003egit submodule init\u003c/code\u003e, which populates the \u003ccode\u003e.git/config\u003c/code\u003e file with submodule information (URL, active status), but not the \u003ccode\u003eupdate\u003c/code\u003e key.\u003c/li\u003e\n\u003cli\u003eThe attacker pushes a new commit to the repository, adding a malicious \u003ccode\u003eupdate = !\u0026lt;command\u0026gt;\u003c/code\u003e line to the \u003ccode\u003e.gitmodules\u003c/code\u003e file (e.g., \u003ccode\u003eupdate = !touch /tmp/pwned\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe victim runs \u003ccode\u003egit pull\u003c/code\u003e to update their local repository, incorporating the attacker\u0026rsquo;s modified \u003ccode\u003e.gitmodules\u003c/code\u003e file. The \u003ccode\u003e.git/config\u003c/code\u003e file remains unchanged.\u003c/li\u003e\n\u003cli\u003eA gitoxide-based application calls \u003ccode\u003eSubmodule::update()\u003c/code\u003e to determine the submodule update strategy.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003egix_submodule::File::update\u003c/code\u003e function is called, which incorrectly validates the source of the \u003ccode\u003eupdate\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe function checks that a submodule section with the same name exists in a non-.gitmodules source, but does not verify if the update value comes from that section, bypassing the intended security guard.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled shell command from the \u003ccode\u003e.gitmodules\u003c/code\u003e file is executed, leading to arbitrary command execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows an attacker to execute arbitrary commands on a system running gitoxide-based applications that utilize submodules. This could lead to complete system compromise, data exfiltration, or denial of service. Any tool, IDE plugin, or CI integration building submodule-update functionality on top of \u003ccode\u003egix\u003c/code\u003e within the affected version range inherits this vulnerability.  Successful exploitation depends on the vulnerable application\u0026rsquo;s trust in the output of \u003ccode\u003eSubmodule::update()\u003c/code\u003e which determines the update strategy.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003egix\u003c/code\u003e version 0.83.0 or later to patch the vulnerability (\u003ca href=\"https://github.com/advisories/GHSA-f26g-jm89-4g65)\"\u003ehttps://github.com/advisories/GHSA-f26g-jm89-4g65)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement additional validation and sanitization of submodule configurations, especially when handling \u003ccode\u003eUpdate::Command(_)\u003c/code\u003e from \u003ccode\u003eSubmodule::update()\u003c/code\u003e, to prevent unintended command execution.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect potential exploitation attempts by monitoring for the execution of unexpected commands based on submodule configuration.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:00:00Z","date_published":"2024-01-09T18:00:00Z","id":"/briefs/2024-01-09-gitoxide-rce/","summary":"A vulnerability in gitoxide's `gix_submodule::File::update()` allows arbitrary command execution via a crafted `.gitmodules` file by incorrectly validating the source of the `update` command, enabling an attacker to inject malicious commands after a submodule has been initialized.","title":"gitoxide Arbitrary Command Execution via .gitmodules Bypass","url":"https://feed.craftedsignal.io/briefs/2024-01-09-gitoxide-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Gix","version":"https://jsonfeed.org/version/1.1"}