{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/repository-confusion/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["gix","gitoxide"],"_cs_severities":["high"],"_cs_tags":["path-traversal","git","repository-confusion","supply-chain"],"_cs_type":"advisory","_cs_vendors":["GitoxideLabs"],"content_html":"\u003cp\u003eA path traversal vulnerability has been identified in the gix and gitoxide libraries. The vulnerability stems from the lack of validation of submodule names extracted from the \u003ccode\u003e.gitmodules\u003c/code\u003e file. Specifically, these submodule names are used to construct file paths for accessing submodule Git directories. An attacker can craft a malicious \u003ccode\u003e.gitmodules\u003c/code\u003e file containing a submodule name with path traversal sequences (e.g., \u003ccode\u003e../../../escaped-target.git\u003c/code\u003e). This allows the attacker to redirect \u003ccode\u003estate()\u003c/code\u003e and \u003ccode\u003eopen()\u003c/code\u003e calls to an arbitrary repository outside the intended \u003ccode\u003e.git/modules\u003c/code\u003e directory. This can cause a vulnerable application using these libraries to operate on an unexpected repository, leading to potential security issues. The vulnerability affects gix versions prior to 0.83.0 and gitoxide versions up to and including 0.52.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious \u003ccode\u003e.gitmodules\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003e.gitmodules\u003c/code\u003e file contains a submodule name with path traversal sequences (e.g., \u003ccode\u003e../../../escaped-target.git\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eA vulnerable application using gix or gitoxide parses the malicious \u003ccode\u003e.gitmodules\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe application extracts the unvalidated submodule name from the \u003ccode\u003e.gitmodules\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe application constructs a file path to the submodule\u0026rsquo;s Git directory using the unvalidated name: \u003ccode\u003e\u0026lt;superproject common_dir\u0026gt;/modules/\u0026lt;submodule name\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal sequences in the submodule name, the constructed path escapes the intended \u003ccode\u003e.git/modules\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe application calls \u003ccode\u003estate()\u003c/code\u003e or \u003ccode\u003eopen()\u003c/code\u003e using the escaped path, which leads to an attacker-controlled repository.\u003c/li\u003e\n\u003cli\u003eThe application performs operations (enumeration, inspection, etc.) on the attacker-chosen repository, potentially leading to information disclosure or other unexpected behavior.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability can lead to repository confusion, where a vulnerable application operates on an unintended repository. While the report does not claim direct command execution, the redirection of repository access can have significant consequences. For example, if the application relies on submodule state for access control or other security-sensitive operations, an attacker could potentially bypass these checks by redirecting the application to a controlled repository. The number of victims and sectors affected depend on the adoption of the vulnerable gix and gitoxide libraries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to gix version 0.83.0 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eUpgrade to a version of gitoxide later than 0.52.0, if available (or switch to gix).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Git Submodule Path Traversal in Configuration\u003c/code\u003e to identify potentially malicious \u003ccode\u003e.gitmodules\u003c/code\u003e files based on submodule name patterns.\u003c/li\u003e\n\u003cli\u003eSanitize or validate submodule names before using them to construct file paths, as recommended in the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for suspicious activity related to submodule operations, especially those involving unusual file paths.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-29-git-submodule-path-traversal/","summary":"A path traversal vulnerability exists in gix and gitoxide where unvalidated submodule names from `.gitmodules` can be used to escape the `.git/modules` directory, potentially leading to repository confusion by redirecting submodule state inspection and open operations to attacker-controlled paths.","title":"gix and gitoxide Submodule Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-29-git-submodule-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Repository-Confusion","version":"https://jsonfeed.org/version/1.1"}