CVE-2019-11217: Arbitraty command execution in Bonobo Git Server GitController

  • Vulnerability Type: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
  • Vendor: Jakub Chodounsky
  • Affected Product: Bonobo Git Server - 6.3.0 (other versions has not been assessed)
  • Affected Component: GitController
  • Attack Type: Remote
  • Impact: Code execution
  • Attack Vectors: http request submission

The GitController in Jakub Chodounsky Bonobo Git Server 6.3.0 allows execution of arbitrary commands in the context of the web server via a crafted http request.

Bonobo.Git.Server/Controllers/GitController.cs at private ActionResult GetInfoRefs(String repositoryName, String service) calls GitService.ExecuteServiceByName(…) without sanitizing user supplied string serviceName. Succesfull exploitation process involves creation of the new repository, management of repository configuration and executing arbitrary command through core.editor setting.

The issue is fixed in version 6.5.0.

  • 2019-04-08 – vendor notification
  • 2019-04-08 – vendor responded, affected product is not under development or maintenance
  • 2019-04-12 – CVE assigned
  • 2019-04-13 – opened issue in github.com to reach other contributors jakubgarfield/Bonobo-Git-Server/issues/831
  • 2019-04-15 – vulnerability internally disclosed to the current maintainer
  • 2019-04-20 – fixed version released by vendor/contributors; https://bonobogitserver.com/changelog/#version-650
  • 2019-04-25 – full description published