MidnightBSD

Advisories for gitolite

CVE-2011-1572 MEDIUM

Directory traversal vulnerability in the Admin Defined Commands (ADC) feature in gitolite before 1.5.9.1 allows remote attackers to execute arbitrary commands via .. (dot dot) sequences in admin-defined commands.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
gitolite gitolite 1.5.3
gitolite gitolite 0.65
gitolite gitolite 0.50
gitolite gitolite 0.95
gitolite gitolite 1.5.2
gitolite gitolite 1.5.1
gitolite gitolite 0.85
gitolite gitolite 1.5.7
gitolite gitolite 1.2
gitolite gitolite 0.60
gitolite gitolite 0.55
gitolite gitolite 1.3
gitolite gitolite 0.80
gitolite gitolite 0.90
gitolite gitolite 1.4.2
gitolite gitolite 1.4
gitolite gitolite 1.4.1
gitolite gitolite 1.5
gitolite gitolite 0.70
gitolite gitolite *
gitolite gitolite 1.5.6
gitolite gitolite 1.5.5
gitolite gitolite 1.5.4
gitolite gitolite 1.1
gitolite gitolite 1.0
gitolite gitolite 1.5.8
CVE-2012-4506 MEDIUM

Directory traversal vulnerability in gitolite 3.x before 3.1, when wild card repositories and a pattern matching "../" are enabled, allows remote authenticated users to create arbitrary repositories and possibly perform other actions via a .. (dot dot) in a repository name.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
gitolite gitolite 3.0
gitolite gitolite 3.02
sitaram_chamarty gitolite 3.01
gitolite gitolite 3.03
gitolite gitolite 3.04
CVE-2013-4451 HIGH

gitolite commit fa06a34 through 3.5.3 might allow attackers to have unspecified impact via vectors involving world-writable permissions when creating (1) ~/.gitolite.rc, (2) ~/.gitolite, or (3) ~/repositories/gitolite-admin.git on fresh installs.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
gitolite gitolite *
CVE-2013-7203 LOW

gitolite before commit fa06a34 might allow local users to read arbitrary files in repositories via vectors related to the user umask when running gitolite setup.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
gitolite gitolite *
CVE-2018-16976 MEDIUM

Gitolite before 3.6.9 does not (in certain configurations involving @all or a regex) properly restrict access to a Git repository that is in the process of being migrated until the full set of migration steps has been completed. This can allow valid users to obtain unintended access.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
gitolite gitolite *
CVE-2018-20683 MEDIUM

commands/rsync in Gitolite before 3.6.11, if .gitolite.rc enables rsync, mishandles the rsync command line, which allows attackers to have a "bad" impact by triggering use of an option other than -v, -n, -q, or -P.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
gitolite gitolite *