CVE-2024-21529
Arbitrary File Overwrite vulnerability in dset (npm)
What is CVE-2024-21529 About?
This vulnerability in Eclipse JGit <= 6.6.0 allows for arbitrary file overwrite outside the working tree using a specially crafted git repository containing symbolic links. It can lead to remote code execution (RCE) on case-insensitive filesystems under specific conditions. Exploitation requires specific user rights and git configuration.
Affected Software
Technical Details
The vulnerability, an Arbitrary File Overwrite, affects Eclipse JGit versions up to 6.6.0.202305301015-r. It occurs when JGit clones or checks out a specially crafted git repository on a case-insensitive filesystem (e.g., Windows, macOS). The crafted repository contains symbolic links that, due to JGit's improper handling on such filesystems, can resolve to paths outside of the intended working directory. When operations like DirCacheCheckout, merge, pull, or applying a patch are performed, these symbolic links are followed, allowing an attacker to write files to arbitrary locations on the system. If the overwritten file is a git hook or a configuration file that triggers code execution, it can lead to Remote Code Execution (RCE).
What is the Impact of CVE-2024-21529?
Successful exploitation may allow attackers to overwrite critical system files, modify application configurations, or execute arbitrary code, leading to system compromise.
What is the Exploitability of CVE-2024-21529?
Exploitation requires creating a specially crafted git repository with malicious symbolic links. The complexity is moderate due to the need for specific repository crafting and system conditions. The attack requires the victim to clone or checkout this malicious repository. The victim must have rights to create symbolic links, and symbolic links must be enabled in their git configuration ('core.symlinks = true'). This is primarily a remote attack (if the repository is served remotely) but relies on local client-side operations. It is constrained to case-insensitive filesystems. The risk is higher in development environments where users frequently clone untrusted repositories.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-21529?
About the Fix from Resolved Security
The patch prevents prototype pollution by ensuring that each key from the input is explicitly coerced to a string before comparison, thus blocking bypasses where keys like proto are supplied as array elements or non-string types. This directly fixes CVE-2024-21529 by guaranteeing that malicious attempts to assign to special properties (proto, constructor, prototype) via non-string keys are stopped, maintaining object integrity.
Available Upgrade Options
- dset
- <3.1.4 → Upgrade to 3.1.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2024-21529
- https://osv.dev/vulnerability/GHSA-f6v4-cf5j-vf3w
- https://security.snyk.io/vuln/SNYK-JS-DSET-7116691
- https://github.com/lukeed/dset/commit/16d6154e085bef01e99f01330e5a421a7f098afa
- https://github.com/lukeed/dset/commit/16d6154e085bef01e99f01330e5a421a7f098afa
- https://github.com/lukeed/dset
- https://security.snyk.io/vuln/SNYK-JS-DSET-7116691
What are Similar Vulnerabilities to CVE-2024-21529?
Similar Vulnerabilities: CVE-2023-50164 , CVE-2023-38035 , CVE-2023-36830 , CVE-2023-35805 , CVE-2023-32315
