Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:96341
HistoryAug 11, 2017 - 12:00 a.m.

Remote Command Execution in git client (CVE-2017-12426)

2017-08-1100:00:00
Root
www.seebug.org
80

EPSS

0.015

Percentile

86.8%

JSON

Remote Command Execution in git client (CVE-2017-12426)

An external code review performed by Recurity-Labs identified a remote command execution vulnerability in git that could be exploited via the “Repo by URL” import option in GitLab. The command line git client was not properly escaping command line arguments in URLs using the SSH protocol before invoking the SSH client. A specially crafted URL could be used to execute arbitrary shell commands on the GitLab server.

To fully patch this vulnerability two fixes were needed. The Omnibus versions of GitLab contain a patched git client. For source users who may still be running an older version of git, GitLab now also blocks import URLs containing invalid host and usernames. 35212

This issue has been assigned CVE-2017-12426.

Thanks to Joern Schneeweisz and Recurity-Labs for discovering this vulnerability, providing immediate notification, and helping us coordinate a release across several projects.

Versions affected

  • 7.9.0 through 8.17.7
  • 9.0.0 through 9.0.12
  • 9.1.0 through 9.1.9
  • 9.2.0 through 9.2.9
  • 9.3.0 through 9.3.9
  • 9.4.0 through 9.4.3

We strongly recommend that all installations running a version mentioned above be upgraded as soon as possible.

Workarounds

If you’re unable to upgrade right away, you can secure your GitLab installation against this vulnerability using the workaround outlined below until you have time to upgrade.

Note: Disabling the “Repo by URL” import option does not fully mitigate this vulnerability as existing projects will still be able to change their import URLs.

Removing support for SSH URLs

GitLab CE+EE instances that cannot be patched immediately can disable support for SSH URLs in project imports and mirrors by editing the GitLab source code and removing ssh from the list of valid protocols.

For source users edit: /app/validators/addressable_url_validator.rb.

For Omnibus users edit: /opt/gitlab/embedded/service/gitlab-rails/app/validators/addressable_url_validator.rb.

Change:

DEFAULT_OPTIONS = { protocols: %w(http https ssh git) }.freeze

To:

DEFAULT_OPTIONS = { protocols: %w(http https git) }.freeze

Then restart GitLab.

For Omnibus users: gitlab-ctl restart.

Verifying the workaround

  1. Choose to create a new project
  2. Choose “Import by URL”.
  3. Specify a URL such as ssh://gitlab.com/foo.git.
  4. Verify that GitLab returns an invalid URL error.

Be certain that you do not revert this patch until you have installed an updated version of git.

Related

cvelist 1
ubuntucve 1
nvd 1
nessus 1
debiancve 1
freebsd 1
prion 1
cve 1
cvelist
cvelist
CVE-2017-12426
2017-08-14 21:00:00
ubuntucve
ubuntucve
CVE-2017-12426
2017-08-14 00:00:00
nvd
nvd
CVE-2017-12426
2017-08-14 21:29:00
nessus
nessus
FreeBSD : GitLab -- two vulnerabilities (abcc5ad3-7e6a-11e7-93f7-d43d7e971a1b)
2017-08-14 00:00:00
debiancve
debiancve
CVE-2017-12426
2017-08-14 21:29:00
freebsd
freebsd
GitLab -- two vulnerabilities
2017-08-10 00:00:00
prion
prion
Code injection
2017-08-14 21:29:00
cve
cve
CVE-2017-12426
2017-08-14 21:29:00

EPSS

0.015

Percentile

86.8%

JSON
Related for SSV:96341
cvelist1ubuntucve1nvd1nessus1debiancve1freebsd1prion1cve1