Vulnerabilities > CVE-2014-4511 - Unspecified vulnerability in Gitlist

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
gitlist
exploit available
metasploit

Summary

Gitlist before 0.5.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the file name in the URI of a request for a (1) blame, (2) file, or (3) stats page, as demonstrated by requests to blame/master/, master/, and stats/master/.

Vulnerable Configurations

Part Description Count
Application
Gitlist
5

Exploit-Db

  • descriptionGitlist <= 0.4.0 - Remote Code Execution. CVE-2013-7392,CVE-2014-4511,CVE-2014-5023. Remote exploits for multiple platform
    fileexploits/multiple/remote/33929.py
    idEDB-ID:33929
    last seen2016-02-03
    modified2014-06-30
    platformmultiple
    port
    published2014-06-30
    reporterdrone
    sourcehttps://www.exploit-db.com/download/33929/
    titleGitlist <= 0.4.0 - Remote Code Execution
    typeremote
  • descriptionGitlist Unauthenticated Remote Command Execution. CVE-2013-7392,CVE-2014-4511. Remote exploits for multiple platform
    fileexploits/multiple/remote/33990.rb
    idEDB-ID:33990
    last seen2016-02-03
    modified2014-07-07
    platformmultiple
    port80
    published2014-07-07
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/33990/
    titleGitlist Unauthenticated Remote Command Execution
    typeremote

Metasploit

descriptionThis module exploits an unauthenticated remote command execution vulnerability in version 0.4.0 of Gitlist. The problem exists in the handling of a specially crafted file name when trying to blame it.
idMSF:EXPLOIT/LINUX/HTTP/GITLIST_EXEC
last seen2020-05-06
modified2017-08-29
published2014-07-01
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/gitlist_exec.rb
titleGitlist Unauthenticated Remote Command Execution

Packetstorm

Saint

bid68253
descriptionGitList blame resource command injection
idweb_prog_cgi_gitlistblame
osvdb108504
titlegitlist_blame
typeremote

Seebug

bulletinFamilyexploit
descriptionNo description provided by source.
idSSV:87092
last seen2017-11-19
modified2014-07-01
published2014-07-01
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-87092
titleGitlist <= 0.4.0 - Remote Code Execution