CVE intelligence and bounded remediation
CVE-2024-40644 — gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git
gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. `gix-path` can be tricked into running another `git.exe` placed in an untrusted location by a limited user account on Windows systems. Windows permits limited user accounts without administrative privileges to create new directories in the root of the system drive. While `gix-path` first looks for `git` using a `PATH` search, in version 0.10.8 it also has a fallback strategy on Windows of checking two hard-coded paths intended to be the 64-bit and 32-bit Program Files directories. Existing functions, as well as the newly introduced `exe_invocation` function, were updated to make use of these alternative locations. This causes facilities in `gix_path::env` to directly execute `git.exe` in those locations, as well as to return its path or whatever configuration it reports to callers who rely on it. Although unusual setups where the system drive is not `C:`, or even where Program Files directories have non-default names, are technically possible, the main problem arises on a 32-bit Windows system. Such a system has no `C:\Program Files (x86)` directory. A limited user on a 32-bit Windows system can therefore cr…
- Severity
- Medium
- CVSS
- 6.8 (3.1)
- Published
- 2024-07-18
- CISA KEV
- Not currently listed
- Ecosystem
- windows/system
- Weaknesses
- CWE-345
Affected products
No browser-safe affected-product rows are available.
Matched remediation archetype
Supply-chain, dependency, build, and update integrity
This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.
Check exposure
- Trace affected packages, source archives, build actions, plugins, installers, and updates from declared source to deployed artifact.
- Confirm provenance, signatures or digests, namespace ownership, lockfile resolution, registry configuration, and build-runner trust boundaries.
- Inventory direct, transitive, vendored, generated, and bundled copies across releases and distribution channels.
Remediate safely
- Move to a maintained trusted artifact or remove the dependency; pin immutable identities and verify provenance and integrity before use.
- Regenerate lockfiles and artifacts in a clean isolated build, minimize build credentials and network access, and produce an updated software bill of materials.
- Require reviewed update policy, protected publishing, and reproducible or independently attestable builds where supported.
Authoritative sources
Complete CVE record and remediation plan
The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.