{"id":"AZL-40264","summary":"CVE-2024-32884 affecting package rust for versions less than 1.72.0-8","details":"gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs. This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. This issue has been patched in versions 0.35.0, 0.42.0 and 0.62.0.","modified":"2026-04-21T04:28:58.015287Z","published":"2024-04-26T18:15:46Z","upstream":["CVE-2024-32884"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32884"}],"affected":[{"package":{"name":"rust","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/rust"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.72.0-8"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-40264.json"}}],"schema_version":"1.7.5"}