gitoxide is an implementation of git written in Rust. Before 0.42.0, gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. gitoxide uses the sha1_smol or sha1 crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct Git objects with colliding SHA-1 hashes would break the Git object model and integrity checks when used with gitoxide. This vulnerability is fixed in 0.42.0.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| gix-features(crates.io) | 0 | 0.41.0 | N/A |
| gix-commitgraph(crates.io) | 0 | 0.27.0 | N/A |
| gix-index(crates.io) | 0 | 0.39.0 | N/A |
| gix-object(crates.io) | 0 | 0.48.0 | N/A |
| gix-odb(crates.io) | 0 | 0.68.0 | N/A |
| gix-pack(crates.io) | 0 | 0.58.0 | N/A |
| gitoxide(crates.io) | 0 | 0.42.0 | N/A |
| gitoxide-core(crates.io) | 0 | 0.46.0 | N/A |
| gix(crates.io) | 0 | 0.71.0 | N/A |
| gix-archive(crates.io) | 0 | 0.20.0 | N/A |
| gix-blame(crates.io) | 0 | 0.1.0 | N/A |
| gix-config(crates.io) | 0 | 0.44.0 | N/A |
| gix-diff(crates.io) | 0 | 0.51.0 | N/A |
| gix-dir(crates.io) | 0 | 0.13.0 | N/A |
| gix-discover(crates.io) | 0 | 0.39.0 | N/A |
| gix-filter(crates.io) | 0 | 0.18.0 | N/A |
| gix-fsck(crates.io) | 0 | 0.10.0 | N/A |
| gix-merge(crates.io) | 0 | 0.4.0 | N/A |
| gix-negotiate(crates.io) | 0 | 0.19.0 | N/A |
| gix-protocol(crates.io) | 0 | 0.49.0 | N/A |
| gix-ref(crates.io) | 0 | 0.51.0 | N/A |
| gix-revision(crates.io) | 0 | 0.33.0 | N/A |
| gix-revwalk(crates.io) | 0 | 0.19.0 | N/A |
| gix-status(crates.io) | 0 | 0.18.0 | N/A |
| gix-traverse(crates.io) | 0 | 0.45.0 | N/A |
| gix-worktree(crates.io) | 0 | 0.40.0 | N/A |
| gix-worktree-state(crates.io) | 0 | 0.18.0 | N/A |
CVSS Metrics
