Bug 1612379 (CVE-2018-14912) - CVE-2018-14912 cgit: directory traversal vulnerability in cgit < 1.2.1
Summary: CVE-2018-14912 cgit: directory traversal vulnerability in cgit < 1.2.1
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-14912
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-08-03 21:28 UTC by Todd Zullinger
Modified: 2021-10-19 09:04 UTC (History)
3 users (show)

Fixed In Version: cgit 1.2.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-19 09:04:48 UTC
Embargoed:


Attachments (Terms of Use)

Description Todd Zullinger 2018-08-03 21:28:07 UTC
A directory traversal vulnerability was discovered in cgit prior to 1.2.1.  The issue dates back to cgit-0.8 (commit https://git.zx2c4.com/cgit/commit/?id=02a545e63), from 2008.

When enable-http-clone is enabled (as it is by default), it is trivial to retrieve any file readable by the webserver account.  For example, with cgit serving a repository in /var/lib/git, the following URL can be used to read /etc/passwd:

    http://localhost/cgit/git.git/objects/?path=../../../../../etc/passwd

Setting enable-http-clone=0 in /etc/cgitrc can be used to mitigate the issue. 

Note: the cgit cache must be manually cleared or the 5 minute TTL must expire regardless of whether the above mitigation is used or the patched packages are deployed.

This issue was reported by Jann Horn.

References:
https://lists.zx2c4.com/pipermail/cgit/2018-August/004176.html

Upstream Patch:
https://git.zx2c4.com/cgit/commit/?id=53efaf30b

Updates for all Fedora and EPEL releases were created earlier today, prior to the assignment of the CVE:

F27: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a407b85547
F28: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a5a7f83e1b
EL6: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-40277073c5
EL7: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-38987c542e


Note You need to log in before you can comment on or make changes to this bug.