A directory traversal vulnerability was discovered in cgit prior to 1.2.1.  The issue dates back to cgit-0.8 (commit https://git.zx2c4.com/cgit/commit/?id=02a545e63), from 2008.

When enable-http-clone is enabled (as it is by default), it is trivial to retrieve any file readable by the webserver account.  For example, with cgit serving a repository in /var/lib/git, the following URL can be used to read /etc/passwd:

    http://localhost/cgit/git.git/objects/?path=../../../../../etc/passwd

Setting enable-http-clone=0 in /etc/cgitrc can be used to mitigate the issue. 

Note: the cgit cache must be manually cleared or the 5 minute TTL must expire regardless of whether the above mitigation is used or the patched packages are deployed.

This issue was reported by Jann Horn.

References:
https://lists.zx2c4.com/pipermail/cgit/2018-August/004176.html

Upstream Patch:
https://git.zx2c4.com/cgit/commit/?id=53efaf30b

Updates for all Fedora and EPEL releases were created earlier today, prior to the assignment of the CVE:

F27: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a407b85547
F28: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a5a7f83e1b
EL6: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-40277073c5
EL7: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-38987c542e