Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-4548

Overview
Vulnerability Score	6.0
CVE Id	CVE-2012-4548
Last Modified	10 Apr 2013 11:31:04
Published	11 Nov 2012 08:00:54
Confidentiality Impact	PARTIAL
Integrity Impact	PARTIAL
Availability Impact	PARTIAL
Access Vector	NETWORK
Access Complexity	MEDIUM
Authentication	SINGLE_INSTANCE

CVE-2012-4548

Summary

Argument injection vulnerability in syntax-highlighting.sh in cgit 9.0.3 and earlier allows remote authenticated users with permissions to add files to execute arbitrary commands via the --plug-in argument to the highlight command.

Vulnerable Systems

Application

• Lars Hjemli Cgit 0.1

• Lars Hjemli Cgit 0.2

• Lars Hjemli Cgit 0.3

• Lars Hjemli Cgit 0.4

• Lars Hjemli Cgit 0.5

• Lars Hjemli Cgit 0.6

• Lars Hjemli Cgit 0.6.1

• Lars Hjemli Cgit 0.6.2

• Lars Hjemli Cgit 0.6.3

• Lars Hjemli Cgit 0.7

• Lars Hjemli Cgit 0.7.1

• Lars Hjemli Cgit 0.7.2

• Lars Hjemli Cgit 0.8

• Lars Hjemli Cgit 0.8.1

• Lars Hjemli Cgit 0.8.1.1

• Lars Hjemli Cgit 0.8.2

• Lars Hjemli Cgit 0.8.2.1

• Lars Hjemli Cgit 0.8.2.2

• Lars Hjemli Cgit 0.8.3

• Lars Hjemli Cgit 0.8.3.1

• Lars Hjemli Cgit 0.8.3.2

• Lars Hjemli Cgit 0.8.3.3

• Lars Hjemli Cgit 0.8.3.4

• Lars Hjemli Cgit 0.8.3.5

• Lars Hjemli Cgit 0.9

• Lars Hjemli Cgit 0.9.0.1

• Lars Hjemli Cgit 0.9.0.2

• Lars Hjemli Cgit 0.9.0.3

References

MISC - https://bugzilla.redhat.com/show_bug.cgi?id=870713

XF - cgit-syntaxhighlighting-command-exec(79665)

BID - 56315

MLIST - [oss-security] 20121028 Re: CVE Request: cgit command injection

MLIST - [oss-security] 20121027 CVE Request: cgit command injection

SECUNIA - 51167

SECUNIA - 50734

SUSE - openSUSE-SU-2012:1422

SUSE - openSUSE-SU-2012:1421

CONFIRM - http://git.zx2c4.com/cgit/commit/?id=7ea35f9f8ecf61ab42be9947aae1176ab6e089bd

SUSE - openSUSE-SU-2012:1461

SUSE - openSUSE-SU-2012:1460

SECUNIA - 51222