4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
27.0%
gitweb/gitweb.perl in gitweb in Git 1.6.x before 1.6.0.6, 1.5.6.x before
1.5.6.6, 1.5.5.x before 1.5.5.6, 1.5.4.x before 1.5.4.7, and other versions
after 1.4.3 allows local repository owners to execute arbitrary commands by
modifying the diff.external configuration variable and executing a crafted
gitweb query.
Author | Note |
---|---|
mdeslaur | diff.external variable only available since 1.5.4 http://repo.or.cz/w/git.git?a=commitdiff;h=cbe02100 http://marc.info/?l=linux-kernel&m=122977048914639&w=2 So, doesn’t affect dapper and gutsy |
repo.or.cz/w/git.git?a=blob_plain;f=Documentation/RelNotes-1.6.0.6.txt;hb=718258e256b74622aa55f5ee0cb9cff4cce6bf9f
launchpad.net/bugs/cve/CVE-2008-5916
nvd.nist.gov/vuln/detail/CVE-2008-5916
security-tracker.debian.org/tracker/CVE-2008-5916
ubuntu.com/security/notices/USN-723-1
www.cve.org/CVERecord?id=CVE-2008-5916