CVE-2012-4465

Name of the Vulnerable Software and Affected Versions cgit versions 0.9.0.3 and earlier

Description The issue is related to a heap-based buffer overflow in the substr function in parsing.c, which can be exploited by remote authenticated users. This can lead to a denial of service (crash) and possibly the execution of arbitrary code via an empty username in the "Author" field in a commit. The vulnerability can be exploited remotely by an attacker who has passed the authentication procedure, potentially disrupting the confidentiality, integrity, and availability of protected information.

Recommendations For cgit versions 0.9.0.3 and earlier, update to a version later than 0.9.0.3 to resolve the issue. As a temporary workaround, consider restricting access to the substr function in parsing.c to minimize the risk of exploitation. Avoid using empty usernames in the "Author" field in commits until the issue is resolved.