Vulnerability Details : CVE-2018-5955
Public exploit exists!
An issue was discovered in GitStack through 2.3.10. User controlled input is not sufficiently filtered, allowing an unauthenticated attacker to add a user to the server via the username and password fields to the rest/user/ URI.
Vulnerability category: Input validation
Exploit prediction scoring system (EPSS) score for CVE-2018-5955
96.36%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2018-5955
-
GitStack Unauthenticated REST API Requests
Disclosure Date: 2018-01-15First seen: 2020-04-26auxiliary/admin/http/gitstack_restThis modules exploits unauthenticated REST API requests in GitStack through v2.3.10. The module supports requests for listing users of the application and listing available repositories. Additionally, the module can create a user and add the user to the appli -
GitStack Unsanitized Argument RCE
Disclosure Date: 2018-01-15First seen: 2020-04-26exploit/windows/http/gitstack_rceThis module exploits a remote code execution vulnerability that exists in GitStack through v2.3.10, caused by an unsanitized argument being passed to an exec function call. This module has been tested on GitStack v2.3.10. Authors: - Kacper Szurek - Jacob R
CVSS scores for CVE-2018-5955
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2018-5955
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-5955
-
https://blogs.securiteam.com/index.php/archives/3557
SSD Advisory – GitStack Unauthenticated Remote Code Execution - SSD Secure DisclosureExploit;Third Party Advisory
-
https://www.exploit-db.com/exploits/44356/
GitStack - Unsanitized Argument Remote Code Execution (Metasploit)Exploit;Third Party Advisory;VDB Entry
Products affected by CVE-2018-5955
- cpe:2.3:a:smartmobilesoftware:gitstack:*:*:*:*:*:*:*:*