Vulnerability Details : CVE-2012-4506
Directory traversal vulnerability in gitolite 3.x before 3.1, when wild card repositories and a pattern matching "../" are enabled, allows remote authenticated users to create arbitrary repositories and possibly perform other actions via a .. (dot dot) in a repository name.
Vulnerability category: Directory traversal
Products affected by CVE-2012-4506
- cpe:2.3:a:sitaram_chamarty:gitolite:3.01:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:3.04:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:3.03:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:3.02:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:3.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-4506
0.54%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 75 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-4506
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.6
|
MEDIUM | AV:N/AC:H/Au:S/C:P/I:P/A:P |
3.9
|
6.4
|
NIST |
CWE ids for CVE-2012-4506
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-4506
-
http://www.openwall.com/lists/oss-security/2012/10/10/2
oss-security - Re: CVE Request: gitolite path traversal vulnerability
-
http://www.securityfocus.com/bid/55853
Gitolite CVE-2012-4506 Security Bypass Vulnerability
-
https://github.com/sitaramc/gitolite/commit/f636ce3ba3e340569b26d1e47b9d9b62dd8a3bf2
(security) fix bug in pattern to detect path traversal · sitaramc/gitolite@f636ce3 · GitHub
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/79130
gitolite security bypass CVE-2012-4506 Vulnerability Report
-
http://www.openwall.com/lists/oss-security/2012/10/10/1
oss-security - CVE Request: gitolite path traversal vulnerability
-
https://groups.google.com/forum/#!topic/gitolite/K9SnQNhCQ-0/discussion
potential path traversal issue in v3 with wild repos - Google Groepen
Jump to