CVE-2019-11217: Arbitraty command execution in Bonobo Git Server GitController

Vulnerability Type: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Vendor: Jakub Chodounsky
Affected Product: Bonobo Git Server - 6.3.0 (other versions has not been assessed)
Affected Component: GitController
Attack Type: Remote
Impact: Code execution
Attack Vectors: http request submission

Description

The GitController in Jakub Chodounsky Bonobo Git Server 6.3.0 allows execution of arbitrary commands in the context of the web server via a crafted http request.

Bonobo.Git.Server/Controllers/GitController.cs at private ActionResult GetInfoRefs(String repositoryName, String service) calls GitService.ExecuteServiceByName(…) without sanitizing user supplied string serviceName. Succesfull exploitation process involves creation of the new repository, management of repository configuration and executing arbitrary command through core.editor setting.

Additional Information

The issue is fixed in version 6.5.0.

Timeline

2019-04-08 – vendor notification
2019-04-08 – vendor responded, affected product is not under development or maintenance
2019-04-12 – CVE assigned
2019-04-13 – opened issue in github.com to reach other contributors jakubgarfield/Bonobo-Git-Server/issues/831
2019-04-15 – vulnerability internally disclosed to the current maintainer
2019-04-20 – fixed version released by vendor/contributors; https://bonobogitserver.com/changelog/#version-650
2019-04-25 – full description published