CVE-2024-51990
CRITICALjj-lib < 0.23.0 - Path Traversal and Arbitrary File Write
Title source: llmDescription
jj, or Jujutsu, is a Git-compatible VCS written in rust. In affected versions specially crafted Git repositories can cause `jj` to write files outside the clone. This issue has been addressed in version 0.23.0. Users are advised to upgrade. Users unable to upgrade should avoid cloning repos from unknown sources.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/martinvonz/jj/security/advisories/GHSA-88h5-6w7m-5w56
Scores
CVSS v4
9.3
EPSS
0.0059
EPSS Percentile
43.5%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-22
Status
published
Products (2)
crates.io/jj-lib
0 - 0.23.0crates.io
martinvonz/jj
< 0.23.0
Published
Nov 07, 2024
Tracked Since
Feb 18, 2026