CVE-2012-4506 - Vulnerability Details - OpenCVE

Directory traversal vulnerability in gitolite 3.x before 3.1, when wild card repositories and a pattern matching "../" are enabled, allows remote authenticated users to create arbitrary repositories and possibly perform other actions via a .. (dot dot) in a repository name.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Gitolite	Gitolite
Sitaram Chamarty	Gitolite

Configuration 1 [-]

OR	cpe:2.3:a:gitolite:gitolite:3.0:::::::*
	cpe:2.3:a:gitolite:gitolite:3.02:::::::*
	cpe:2.3:a:gitolite:gitolite:3.03:::::::*
	cpe:2.3:a:gitolite:gitolite:3.04:::::::*
	cpe:2.3:a:sitaram_chamarty:gitolite:3.01:::::::*

No data.

References

Link	Providers
http://secunia.com/advisories/50896
http://www.openwall.com/lists/oss-security/2012/10/10/1
http://www.openwall.com/lists/oss-security/2012/10/10/2
http://www.securityfocus.com/bid/55853
https://exchange.xforce.ibmcloud.com/vulnerabilities/79130
https://github.com/sitaramc/gitolite/commit/f636ce3ba3e340569b26d1e47b9d9b62dd8a3bf2
https://groups.google.com/forum/#%21topic/gitolite/K9SnQNhCQ-0/discussion

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2012-10-22T23:00:00

Updated: 2024-08-06T20:35:09.932Z

Reserved: 2012-08-21T00:00:00

Link: CVE-2012-4506

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2012-10-22T23:55:07.243

Modified: 2025-04-11T00:51:21.963

Link: CVE-2012-4506

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2012-10-09T00:00:00", "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in gitolite 3.x before 3.1, when wild card repositories and a pattern matching \"../\" are enabled, allows remote authenticated users to create arbitrary repositories and possibly perform other actions via a .. (dot dot) in a repository name."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://groups.google.com/forum/#%21topic/gitolite/K9SnQNhCQ-0/discussion"}, {"name": "55853", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/55853"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sitaramc/gitolite/commit/f636ce3ba3e340569b26d1e47b9d9b62dd8a3bf2"}, {"name": "[oss-security] 20121009 CVE Request: gitolite path traversal vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2012/10/10/1"}, {"name": "50896", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/50896"}, {"name": "[oss-security] 20121009 Re: CVE Request: gitolite path traversal vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2012/10/10/2"}, {"name": "gitolite-security-bypass(79130)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79130"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2012-4506", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Directory traversal vulnerability in gitolite 3.x before 3.1, when wild card repositories and a pattern matching \"../\" are enabled, allows remote authenticated users to create arbitrary repositories and possibly perform other actions via a .. (dot dot) in a repository name."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://groups.google.com/forum/#!topic/gitolite/K9SnQNhCQ-0/discussion", "refsource": "CONFIRM", "url": "https://groups.google.com/forum/#!topic/gitolite/K9SnQNhCQ-0/discussion"}, {"name": "55853", "refsource": "BID", "url": "http://www.securityfocus.com/bid/55853"}, {"name": "https://github.com/sitaramc/gitolite/commit/f636ce3ba3e340569b26d1e47b9d9b62dd8a3bf2", "refsource": "CONFIRM", "url": "https://github.com/sitaramc/gitolite/commit/f636ce3ba3e340569b26d1e47b9d9b62dd8a3bf2"}, {"name": "[oss-security] 20121009 CVE Request: gitolite path traversal vulnerability", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2012/10/10/1"}, {"name": "50896", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/50896"}, {"name": "[oss-security] 20121009 Re: CVE Request: gitolite path traversal vulnerability", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2012/10/10/2"}, {"name": "gitolite-security-bypass(79130)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79130"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T20:35:09.932Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://groups.google.com/forum/#%21topic/gitolite/K9SnQNhCQ-0/discussion"}, {"name": "55853", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/55853"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/sitaramc/gitolite/commit/f636ce3ba3e340569b26d1e47b9d9b62dd8a3bf2"}, {"name": "[oss-security] 20121009 CVE Request: gitolite path traversal vulnerability", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2012/10/10/1"}, {"name": "50896", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/50896"}, {"name": "[oss-security] 20121009 Re: CVE Request: gitolite path traversal vulnerability", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2012/10/10/2"}, {"name": "gitolite-security-bypass(79130)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79130"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-4506", "datePublished": "2012-10-22T23:00:00", "dateReserved": "2012-08-21T00:00:00", "dateUpdated": "2024-08-06T20:35:09.932Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitolite:gitolite:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "05997028-392C-4287-995D-398C5EFF9F5E", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitolite:gitolite:3.02:*:*:*:*:*:*:*", "matchCriteriaId": "EBCDE647-25DA-4238-81FD-6AFE0B23CE45", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitolite:gitolite:3.03:*:*:*:*:*:*:*", "matchCriteriaId": "AE60C0B8-60FB-4DDA-A45E-A949049AFD92", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitolite:gitolite:3.04:*:*:*:*:*:*:*", "matchCriteriaId": "2B181E8E-6533-43C2-98B4-71194B318E07", "vulnerable": true}, {"criteria": "cpe:2.3:a:sitaram_chamarty:gitolite:3.01:*:*:*:*:*:*:*", "matchCriteriaId": "92A8D9B7-7EAE-486D-B41F-C092B4FA2552", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in gitolite 3.x before 3.1, when wild card repositories and a pattern matching \"../\" are enabled, allows remote authenticated users to create arbitrary repositories and possibly perform other actions via a .. (dot dot) in a repository name."}, {"lang": "es", "value": "Vulnerabilidad de salto de directorio en gitolite v3.x antes de v3.1, cuando repositorios wild card y un patr\u00f3n que coincida con \"../\" est\u00e1 activado, permite a usuarios remotos autenticados crear repositorios arbitrarios y posiblemente realizar otras acciones a trav\u00e9s de un .. (punto punto) en un nombre de repositorio."}], "id": "CVE-2012-4506", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2012-10-22T23:55:07.243", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/50896"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2012/10/10/1"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2012/10/10/2"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/55853"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79130"}, {"source": "secalert@redhat.com", "url": "https://github.com/sitaramc/gitolite/commit/f636ce3ba3e340569b26d1e47b9d9b62dd8a3bf2"}, {"source": "secalert@redhat.com", "url": "https://groups.google.com/forum/#%21topic/gitolite/K9SnQNhCQ-0/discussion"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/50896"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2012/10/10/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2012/10/10/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/55853"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79130"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/sitaramc/gitolite/commit/f636ce3ba3e340569b26d1e47b9d9b62dd8a3bf2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://groups.google.com/forum/#%21topic/gitolite/K9SnQNhCQ-0/discussion"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}