PT-2014-5942 · Gitlist · Gitlist

Drone

Published

2014-07-22

Updated

2018-08-13

CVE-2014-4511

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Gitlist versions prior to 0.5.0

Description The issue allows remote attackers to execute arbitrary commands via shell metacharacters in the file name in the URI of a request for a blame, file, or stats page. This can be demonstrated by requests to endpoints such as "blame/master/", "master/", and "stats/master/".

Recommendations For Gitlist versions prior to 0.5.0, update to version 0.5.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the blame, file, and stats pages until the update is applied. Avoid using shell metacharacters in file names in the URI of requests to these pages.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2014-4511

Affected Products

Gitlist

PT-2014-5942 · Gitlist · Gitlist

CVE-2014-4511

Related Identifiers

Affected Products

References · 11