CVE-2019-11217: Arbitraty command execution in Bonobo Git Server GitController
- Vulnerability Type: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
- Vendor: Jakub Chodounsky
- Affected Product: Bonobo Git Server - 6.3.0 (other versions has not been assessed)
- Affected Component: GitController
- Attack Type: Remote
- Impact: Code execution
- Attack Vectors: http request submission
Description
The GitController in Jakub Chodounsky Bonobo Git Server 6.3.0 allows execution of arbitrary commands in the context of the web server via a crafted http request.
Bonobo.Git.Server/Controllers/GitController.cs
at private ActionResult GetInfoRefs(String repositoryName, String service)
calls GitService.ExecuteServiceByName(…)
without sanitizing user supplied string serviceName
. Succesfull exploitation process involves creation of the new repository, management of repository configuration and executing arbitrary command through core.editor
setting.
Additional Information
The issue is fixed in version 6.5.0.
Timeline
- 2019-04-08 – vendor notification
- 2019-04-08 – vendor responded, affected product is not under development or maintenance
- 2019-04-12 – CVE assigned
- 2019-04-13 – opened issue in github.com to reach other contributors jakubgarfield/Bonobo-Git-Server/issues/831
- 2019-04-15 – vulnerability internally disclosed to the current maintainer
- 2019-04-20 – fixed version released by vendor/contributors; https://bonobogitserver.com/changelog/#version-650
- 2019-04-25 – full description published