
Find real vulnerabilities before they ship
The gix-transport crate before 0.36.1 for Rust allows command execution via the "gix clone 'ssh://-oProxyCommand=open$IFS" substring. NOTE: this was discovered before CVE-2024-32884, a similar vulnerability (involving a username field) that is more difficult to exploit.
Base Score
4.1| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| gix-transport(crates.io) | 0 | 0.36.1 | N/A |
| Base Score | 4.1 |
|---|---|
| Vector String | CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N |
| Base Severity | Medium |
| Version | 3.1 |
| Attack Vector (AV) | LOCAL |