A directory traversal vulnerability was discovered in cgit prior to 1.2.1. The issue dates back to cgit-0.8 (commit https://git.zx2c4.com/cgit/commit/?id=02a545e63), from 2008.
When enable-http-clone is enabled (as it is by default), it is trivial to retrieve any file readable by the webserver account. For example, with cgit serving a repository in /var/lib/git, the following URL can be used to read /etc/passwd:
Setting enable-http-clone=0 in /etc/cgitrc can be used to mitigate the issue.
Note: the cgit cache must be manually cleared or the 5 minute TTL must expire regardless of whether the above mitigation is used or the patched packages are deployed.
This issue was reported by Jann Horn.
Updates for all Fedora and EPEL releases were created earlier today, prior to the assignment of the CVE: