Joern Schneeweisz

**Name of the Vulnerable Software and Affected Versions** GitLab AI Gateway versions 18.1.6 through 18.8.0 **Description** The GitLab AI Gateway’s Duo Workflow Service component contains a flaw related to improper code generation. This issue allows authenticated attackers to cause a Denial of Service or achieve Remote Code Execution (RCE) by submitting specially crafted requests. The vulnerability stems from insecure template expansion of user-supplied data within crafted Duo Agent Platform Flow definitions. **Recommendations** Upgrade to GitLab AI Gateway version 18.6.2 or later. Upgrade to GitLab AI Gateway version 18.7.1 or later. Upgrade to GitLab AI Gateway version 18.8.1 or later.

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 16.6 through 17.0.4 GitLab CE/EE versions 17.1 through 17.1.2 GitLab CE/EE versions 17.2 through 17.2.0 Description: A cross-site scripting issue exists, allowing an attacker to execute arbitrary scripts under the context of the current logged-in user. This is due to inadequate protection of the web page structure. The exploitation of this issue can enable a remote attacker to execute arbitrary code. Recommendations: For GitLab CE/EE versions 16.6 through 17.0.4, update to version 17.0.5 or later. For GitLab CE/EE versions 17.1 through 17.1.2, update to version 17.1.3 or later. For GitLab CE/EE versions 17.2 through 17.2.0, update to version 17.2.1 or later.

**Name of the Vulnerable Software and Affected Versions** Git versions prior to 2.39.2 Git versions prior to 2.38.4 Git versions prior to 2.37.6 Git versions prior to 2.36.5 Git versions prior to 2.35.7 Git versions prior to 2.34.7 Git versions prior to 2.33.7 Git versions prior to 2.32.6 Git versions prior to 2.31.7 Git versions prior to 2.30.8 **Description** The issue is related to path traversal in Git, a revision control system. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. This can allow a remote attacker to overwrite arbitrary files in the system. **Recommendations** For versions prior to 2.39.2, update to version 2.39.2 or later. For versions prior to 2.38.4, update to version 2.38.4 or later. For versions prior to 2.37.6, update to version 2.37.6 or later. For versions prior to 2.36.5, update to version 2.36.5 or later. For versions prior to 2.35.7, update to version 2.35.7 or later. For versions prior to 2.34.7, update to version 2.34.7 or later. For versions prior to 2.33.7, update to version 2.33.7 or later. For versions prior to 2.32.6, update to version 2.32.6 or later. For versions prior to 2.31.7, update to version 2.31.7 or later. For versions prior to 2.30.8, update to version 2.30.8 or later. As a temporary workaround, use `git apply --stat` to inspect a patch before applying and avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.

**Name of the Vulnerable Software and Affected Versions** Git versions prior to 2.30.7 **Description** The issue is related to an integer overflow in the `pretty.c::format and pad commit()` function of the Git distributed revision control system. This overflow can result in arbitrary heap writes, potentially leading to arbitrary code execution. The vulnerability can be triggered directly by a user running a command that invokes the commit formatting machinery, such as `git log --format=...`, or indirectly through `git archive` via the `export-subst` mechanism. **Recommendations** For versions prior to 2.30.7, upgrade to a version published on or after 2023-01-17. If an upgrade is not possible, disable `git archive` in untrusted repositories. If `git archive` is exposed via `git daemon`, disable it by running `git config --global daemon.uploadArch false`.

**Name of the Vulnerable Software and Affected Versions** HashiCorp go-getter versions 1.5.11 and earlier, 2.0.2 and earlier **Description** The issue allows for asymmetric resource exhaustion when processing malicious HTTP responses. It also enables protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Additionally, arbitrary host access is possible through path traversal, symlink processing, and command injection flaws. Malicious HTTP responses can cause misbehaviors, including overwriting local files, resource exhaustion, and panics. A panic can be triggered when processing password-protected ZIP files. **Recommendations** For versions 1.5.11 and earlier, update to version 1.6.1 or later. For version 2.0.2, update to version 2.1.0 or later. As a temporary workaround, consider restricting access to the `go-getter` function until a patch is available. Avoid using `go-getter` to process malicious HTTP responses until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** HashiCorp go-getter versions 1.5.11 and earlier, 2.0.2 and earlier HashiCorp go-getter versions up to 2.0.2 **Description** The issue allows for arbitrary host access via path traversal, symlink processing, and command injection flaws. It also enables protocol switching, endless redirect, and configuration bypass through abuse of custom HTTP response header processing. Additionally, asymmetric resource exhaustion can occur when processing malicious HTTP responses. Malicious HTTP responses can cause misbehaviors, including overwriting local files, resource exhaustion, and panics. **Recommendations** For HashiCorp go-getter versions 1.5.11 and earlier, update to version 1.6.1 or later. For HashiCorp go-getter versions 2.0.2 and earlier, update to version 2.1.0 or later. As a temporary workaround, consider restricting the use of go-getter until a patch is applied. Avoid using go-getter to process malicious or untrusted HTTP responses.

**Name of the Vulnerable Software and Affected Versions** HashiCorp go-getter versions 1.5.11 and earlier HashiCorp go-getter versions 2.0.2 and earlier **Description** The issue concerns the unsafe download handling in HashiCorp go-getter. Malicious HTTP responses can cause various misbehaviors, including overwriting local files, resource exhaustion, and panics. Specifically, protocol switching, endless redirect, and configuration bypass are possible through abuse of custom HTTP response header processing. Additionally, arbitrary host access is possible through go-getter path traversal, symlink processing, and command injection flaws. Asymmetric resource exhaustion can occur when go-getter processes malicious HTTP responses. Furthermore, a panic can be triggered when go-getter processes password-protected ZIP files. **Recommendations** For HashiCorp go-getter versions 1.5.11 and earlier, update to version 1.6.1 or later. For HashiCorp go-getter versions 2.0.2 and earlier, update to version 2.1.0 or later. As a temporary workaround, consider restricting access to the `go-getter` command until a patch is available. Avoid using `go-getter` to process malicious HTTP responses or password-protected ZIP files until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** HashiCorp go-getter versions 1.5.11 and earlier HashiCorp go-getter versions 2.0.2 and earlier **Description** The issue is related to the lack of input data sanitization in the go-getter library, which can be exploited by a remote attacker to impact the confidentiality, integrity, and availability of protected information. Malicious HTTP responses can cause various misbehaviors, including overwriting local files, resource exhaustion, and panics. Specifically, protocol switching, endless redirect, and configuration bypass are possible through abuse of custom HTTP response header processing. Additionally, arbitrary host access is possible through go-getter path traversal, symlink processing, and command injection flaws. Asymmetric resource exhaustion can occur when go-getter processes malicious HTTP responses. **Recommendations** For HashiCorp go-getter versions 1.5.11 and earlier, update to version 1.6.1 or later. For HashiCorp go-getter versions 2.0.2 and earlier, update to version 2.1.0 or later. As a temporary workaround, consider restricting access to the go-getter library until a patch is applied. Avoid using the go-getter library to process malicious HTTP responses or password-protected ZIP files until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Asciidoctor-include-ext versions prior to 0.4.0 **Description** The issue allows an attacker to execute arbitrary system commands on the host operating system when used to render user-supplied input in AsciiDoc markup. This attack is possible even when `allow-uri-read` is disabled. **Recommendations** For versions prior to 0.4.0, update to version 0.4.0 or later to resolve the issue. As a temporary workaround, consider applying the provided patch to the `target uri?` method in the `Asciidoctor::IncludeExt::IncludeProcessor` class to mitigate the command injection vulnerability.

**Name of the Vulnerable Software and Affected Versions** eramba versions c2.8.1 and earlier, eramba Enterprise versions prior to e2.19.3 **Description** The issue is related to a weak password recovery token. Specifically, the `createHash` function has only a million possibilities, which is considered insecure. **Recommendations** For eramba versions c2.8.1 and earlier, update to a version later than c2.8.1. For eramba Enterprise versions prior to e2.19.3, update to version e2.19.3 or later.

**Name of the Vulnerable Software and Affected Versions** eramba versions c2.8.1 through e2.19.2 eramba Enterprise versions prior to e2.19.3 **Description** The issue allows for cross-site scripting (XSS) attacks via a crafted filename for a file attached to an object. This can be achieved by including a complete XSS payload followed by a file extension, such as .png, in the filename. **Recommendations** For eramba versions c2.8.1 through e2.19.2, update to version e2.19.3 or later. For eramba Enterprise versions prior to e2.19.3, update to version e2.19.3 or later.

**Name of the Vulnerable Software and Affected Versions** Git versions prior to 2.20.2 Git versions 2.21.x prior to 2.21.1 Git versions 2.22.x prior to 2.22.2 Git versions 2.23.x prior to 2.23.1 Git versions 2.24.x prior to 2.24.1 **Description** The issue allows for arbitrary command execution because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository. This can enable a remote attacker to access confidential data, compromise data integrity, and cause a denial of service. **Recommendations** For Git versions prior to 2.20.2, update to version 2.20.2 or later. For Git versions 2.21.x prior to 2.21.1, update to version 2.21.1 or later. For Git versions 2.22.x prior to 2.22.2, update to version 2.22.2 or later. For Git versions 2.23.x prior to 2.23.1, update to version 2.23.1 or later. For Git versions 2.24.x prior to 2.24.1, update to version 2.24.1 or later.

**Name of the Vulnerable Software and Affected Versions** git versions prior to 6.20170818 git-scm git (affected versions not specified) **Description** A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. This can be done by placing the URL in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the issue. The `git-annex` command is also vulnerable to command injection via malicious SSH hostname. If the hostname parsed from the URL is something like `-eProxyCommand=evil`, this could result in arbitrary local code execution. An attacker could exploit this by tricking the victim into adding a remote something like `ssh://-eProxyCommand=evil/blah` or by using `initremote` with an SSH remote and embedding the URL in the `git-annex` branch. **Recommendations** For git versions prior to 6.20170818, update to version 6.20170818 or later to resolve the issue. For git-scm git, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider avoiding the use of `git clone --recurse-submodules` with untrusted projects and restricting the use of `git-annex` with SSH remotes until a patch is available. Avoid using URLs that start with `ssh://` and contain potentially malicious hostnames, such as those starting with `-eProxyCommand=`.