Vulnerabilities > CVE-2014-4511 - Unspecified vulnerability in Gitlist
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Gitlist before 0.5.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the file name in the URI of a request for a (1) blame, (2) file, or (3) stats page, as demonstrated by requests to blame/master/, master/, and stats/master/.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 5 |
Exploit-Db
description Gitlist <= 0.4.0 - Remote Code Execution. CVE-2013-7392,CVE-2014-4511,CVE-2014-5023. Remote exploits for multiple platform file exploits/multiple/remote/33929.py id EDB-ID:33929 last seen 2016-02-03 modified 2014-06-30 platform multiple port published 2014-06-30 reporter drone source https://www.exploit-db.com/download/33929/ title Gitlist <= 0.4.0 - Remote Code Execution type remote description Gitlist Unauthenticated Remote Command Execution. CVE-2013-7392,CVE-2014-4511. Remote exploits for multiple platform file exploits/multiple/remote/33990.rb id EDB-ID:33990 last seen 2016-02-03 modified 2014-07-07 platform multiple port 80 published 2014-07-07 reporter metasploit source https://www.exploit-db.com/download/33990/ title Gitlist Unauthenticated Remote Command Execution type remote
Metasploit
description | This module exploits an unauthenticated remote command execution vulnerability in version 0.4.0 of Gitlist. The problem exists in the handling of a specially crafted file name when trying to blame it. |
id | MSF:EXPLOIT/LINUX/HTTP/GITLIST_EXEC |
last seen | 2020-05-06 |
modified | 2017-08-29 |
published | 2014-07-01 |
references | |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/gitlist_exec.rb |
title | Gitlist Unauthenticated Remote Command Execution |
Packetstorm
data source https://packetstormsecurity.com/files/download/127281/gitlist-exec.txt id PACKETSTORM:127281 last seen 2016-12-05 published 2014-06-30 reporter drone source https://packetstormsecurity.com/files/127281/Gitlist-0.4.0-Remote-Code-Execution.html title Gitlist 0.4.0 Remote Code Execution data source https://packetstormsecurity.com/files/download/127364/gitlist_exec.rb.txt id PACKETSTORM:127364 last seen 2016-12-05 published 2014-07-06 reporter drone source https://packetstormsecurity.com/files/127364/Gitlist-Unauthenticated-Remote-Command-Execution.html title Gitlist Unauthenticated Remote Command Execution
Saint
bid | 68253 |
description | GitList blame resource command injection |
id | web_prog_cgi_gitlistblame |
osvdb | 108504 |
title | gitlist_blame |
type | remote |
Seebug
bulletinFamily | exploit |
description | No description provided by source. |
id | SSV:87092 |
last seen | 2017-11-19 |
modified | 2014-07-01 |
published | 2014-07-01 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-87092 |
title | Gitlist <= 0.4.0 - Remote Code Execution |
References
- http://www.exploit-db.com/exploits/33929
- http://www.exploit-db.com/exploits/33990
- http://packetstormsecurity.com/files/127364/Gitlist-Unauthenticated-Remote-Command-Execution.html
- http://hatriot.github.io/blog/2014/06/29/gitlist-rce/
- http://packetstormsecurity.com/files/127281/Gitlist-0.4.0-Remote-Code-Execution.html
- https://groups.google.com/forum/#%21topic/gitlist/Hw_KdZfA4js