oss-sec mailing list archives
CVE-2013-4489 Remote code execution vulnerability in the code search feature of GitLab
From: Jacob Vosmaer <jacob () gitlab com>
Date: Mon, 4 Nov 2013 19:58:15 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Remote code execution vulnerability in the code search feature of GitLab There is a remote code execution vulnerability in the code search feature of GitLab. This vulnerability has been assigned the CVE identifier CVE-2013-4489. Versions affected: 5.2, 5.3, 5.4, 6.0, 6.1, 6.2 Not affected: 5.1 and earlier Fixed Versions: 5.4.1, 6.2.3 Impact - --- The Grit gem which serves as the Git backend for GitLab has an unsafe code path for internal use which allows strings to be evaluated by the Bourne shell. In affected versions, the GitLab code search feature exposes this unsafe code path to user input from the search box. Code search in GitLab is only available for authenticated users. All users running an affected release should upgrade immediately or disable code search using the workaround below. Releases - --- The 5.4.1 and 6.2.3 releases are available from https://github.com/gitlabhq/gitlabhq and https://gitlab.com/gitlab-org/gitlab-ce . Workarounds - --- If you are unable to upgrade, you can disable code search by deleting the following line from `app/contexts/search_context.rb` and restarting GitLab: result[:blobs] = project.repository.search_files(query, params[:repository_ref]) unless project.empty_repo? Credits - --- Thanks to joernchen of http://www.phenoelit.org/ for reporting the vulnerability to us. -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQEcBAEBCgAGBQJSd+4EAAoJEB2vXw0YK62WiKgH/j3qNmEVhYwxN8tJTqbrfg17 S74xVZDujeTinYdyo6qfjQA2xmOG4dbQb+HyfwcFatKPLXFfHwqrYI1T5Edd9Xyi Qn+nVmOEzIqYwj6r4k4wZeYp57T0rRjhPN/6yOvqW3SGY8HR6e2MOq8XYCuTBUXE +pT1KKHwJxQF1xhupGIULcNyWBZDJYk9gwB5ccxbdajfPsLP54RFUCBmOfZ7m9bc KSMkJJ0tuuaAs1NZCvqhpxA8oNv/zqkailc0b97Pj6VJMsW1Zv6lxw+hnqa688tL a73xAHXkTKNW2kRfTTpdrMo47E+P1eYXO/LtyqzEEfz0fEdOrGFtbUEdznMXx5Q= =ds23 -----END PGP SIGNATURE----- Best regards, Jacob Vosmaer GitLab.com
Current thread:
- CVE-2013-4489 Remote code execution vulnerability in the code search feature of GitLab Jacob Vosmaer (Nov 04)