+++ This bug was initially created as a clone of Bug #1230079 +++

gix-path is a crate of the gitoxide project dealing with git paths and their
conversions. `gix-path` executes `git` to find the path of a configuration file
that belongs to the `git` installation itself, but mistakenly treats the local
repository's configuration as system-wide if no higher scoped configuration is
found. In rare cases, this causes a less trusted repository to be treated as
more trusted, or leaks sensitive information from one repository to another,
such as sending credentials to another repository's remote. In `gix_path::env`,
the underlying implementation of the `installation_config` and
`installation_config_prefix` functions calls `git config -l --show-origin` and
parses the first line of the output to extract the path to the configuration
file holding the configuration variable of highest scope. It is believed to be
very difficult to exploit this vulnerability deliberately, due to the need
either to anticipate a situation in which higher-scoped configuration variables
would be absent, or to arrange for this to happen. Although any operating
system may be affected, users running Apple Git on macOS are much less likely
to be affected. This issue has been addressed in release version 0.10.10. All
users are advised to upgrade.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-45305
https://www.cve.org/CVERecord?id=CVE-2024-45305
https://git-scm.com/docs/git-config#SCOPES
https://github.com/Byron/gitoxide/blob/12251eb052df30105538fa831e641eea557f13d8/gix-path/src/env/git/mod.rs#L112
https://github.com/Byron/gitoxide/blob/12251eb052df30105538fa831e641eea557f13d8/gix-path/src/env/git/mod.rs#L91
https://github.com/Byron/gitoxide/security/advisories/GHSA-v26r-4c9c-h3j6