Vulnerabilities > CVE-2014-5023 - Remote Command Execution vulnerability in GitList

CVSS 6.8 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

gitlist

exploit available

NVD

Published: 2014-07-22

Updated: 2014-07-22

Summary

Repository.php in Gitter, as used in Gitlist, allows remote attackers with commit privileges to execute arbitrary commands via shell metacharacters in a branch name, as demonstrated by a "git checkout -b" command. <a href="http://cwe.mitre.org/data/definitions/77.html" target="_blank">CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection'</a>

Vulnerable Configurations

Part	Description	Count
Application	Gitlist Gitlist Gitlist -	1

Exploit-Db

description	Gitlist <= 0.4.0 - Remote Code Execution. CVE-2013-7392,CVE-2014-4511,CVE-2014-5023. Remote exploits for multiple platform
file	exploits/multiple/remote/33929.py
id	EDB-ID:33929
last seen	2016-02-03
modified	2014-06-30
platform	multiple
port
published	2014-06-30
reporter	drone
source	https://www.exploit-db.com/download/33929/
title	Gitlist <= 0.4.0 - Remote Code Execution
type	remote

References

http://hatriot.github.io/blog/2014/06/29/gitlist-rce/