Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #10397 OS command injection through a filename when the file's history is displayed in the web Git browser
    Actions
    Infos
    #10397
    Thomas Gerbet (tgerbet)
    2017-09-18 08:59
    2017-07-03 15:40
    10643
    Details
    OS command injection through a filename when the file's history is displayed in the web Git browser

    A command injection can be achieved by users that are able commit files in a Git repo.

    Impact

    An attacker could use this vulnerability to execute code on the server as the codendiadm user.
    CVSSv3 score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

    Exploitation

    1. Create a repo
    2. Create a file named | echo Tuleap > ${PATH:0:1}tmp${PATH:0:1}injectpoc, commit and push the file to the repo you have created
    3. Access to the file history with the web Git browser
    4. A file /tmp/injectpoc is created

    References

    CVE-2017-1000214

    CWE-78

    SCM/Git
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2017-07-05
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #10352 Tuleap Releases 9.10 Delivered 2017-07-12 17:14 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #10397

    Git commit

    tuleap/deps/tuleap/gitphp-tuleap

    Update specfile for request #10397. cc3d8b963e
    User avatar Thomas Gerbet (tgerbet) , 2017-07-03 17:02
    request #10397: OS command injection through a filename when the file's history is displayed in the web Git browser 4e21ce9cd5
    User avatar Thomas Gerbet (tgerbet) , 2017-07-05 12:22

    tuleap/tuleap/stable

    Merge commit 'refs/changes/03/8903/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 662de1b438
    User avatar Yannis ROSSETTO (rossettoy) , 2017-07-05 15:42
    request #10397: OS command injection through a filename when the file's history is displayed in the web Git browser 092f1968a8
    User avatar Thomas Gerbet (tgerbet) , 2017-07-05 14:37

    Git Pull Request

    tuleap/deps/tuleap/gitphp-tuleap

    request #10397: OS command injection through a filename when the file's history is displayed in the web Git browser Merged
    User avatar Thomas Gerbet (tgerbet) , 2017-07-03 17:05
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2017-08-23 19:34
    CVE-2017-1000214 has been assigned by the DWF project to this vulnerability.
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Yannis ROSSETTO (rossettoy)2017-07-05 15:43
    Integrated into Tuleap 9.9.99.85
    • Status changed from Under review to Closed
    • Connected artifacts
    • Close date set to 2017-07-05
    User avatar
    Thomas Gerbet (tgerbet)2017-07-05 14:36
    pr #59 has been integrated, package publication in the repository is waiting for the next publication.

    I'm going to propose a contribution so that people only doing the update with yum update tuleap\* are forced to also get the updated GitPHP package.