Arbitrary Code Injection Affecting gitweb package, versions <0:1.8.3.1-25.el7_9


Severity

Recommended
0.0
high
0
10

Based on CentOS security rating.

Threat Intelligence

EPSS
0.62% (80th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CENTOS7-GITWEB-5482754
  • published26 Apr 2023
  • disclosed25 Apr 2023

Introduced: 25 Apr 2023

CVE-2023-29007  (opens in a new tab)
CWE-74  (opens in a new tab)

How to fix?

Upgrade Centos:7 gitweb to version 0:1.8.3.1-25.el7_9 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream gitweb package and not the gitweb package as distributed by Centos. See How to fix? for Centos:7 relevant fixed versions and status.

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted .gitmodules file with submodule URLs that are longer than 1024 characters can used to exploit a bug in config.c::git_config_copy_or_rename_section_in_file(). This bug can be used to inject arbitrary configuration into a user's $GIT_DIR/config when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as core.pager, core.editor, core.sshCommand, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running git submodule deinit on untrusted repositories or without prior inspection of any submodule sections in $GIT_DIR/config.

CVSS Scores

version 3.1