Use of Incorrectly-Resolved Name or Reference in gix-path - CVE-2024-45305

 

Use of Incorrectly-Resolved Name or Reference in gix-path - CVE-2024-45305

Published: August 31, 2024 / Updated: May 5, 2026


Vulnerability identifier: #VU129773
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-45305
CWE-ID: CWE-706
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: GitoxideLabs
Affected software:
gix-path

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to use of incorrectly resolved name or reference in gix_path::env installation_config and installation_config_prefix when parsing the output of git config -l --show-origin to determine the installation configuration path. A remote attacker can cause local repository configuration to be treated as installation-wide configuration to disclose sensitive information.

User interaction is required, and exploitation occurs in uncommon situations where higher-scoped Git configuration is absent or deliberately disabled, such as when operating on one repository while located inside another repository.


How to mitigate CVE-2024-45305

Install security update from vendor's website.

Sources