cbcvebase.
CVE-2011-4929
published 2012-10-08

CVE-2011-4929: Unspecified vulnerability in the bazaar repository adapter in Redmine 0.9.x and 1.0.x before 1.0.5 allows remote attackers to execute arbitrary commands via…

PriorityP272high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
46.40%
98.7th percentile
Unspecified vulnerability in the bazaar repository adapter in Redmine 0.9.x and 1.0.x before 1.0.5 allows remote attackers to execute arbitrary commands via unknown vectors.

Affected

15 ranges
VendorProductVersion rangeFixed in
debianredmine< redmine 1.0.5-1 (bookworm)redmine 1.0.5-1 (bookworm)
redmineredmine
redmineredmine
redmineredmine
redmineredmine
redmineredmine
redmineredmine
redmineredmine
redmineredmine
redmineredmine
redmineredmine
redmineredmine
redmineredmine
redmineredmine>= 0 < 1.0.5-11.0.5-1
redmineredmine>= 0 < 1.0.5-11.0.5-1

Detection & IOCsextracted from sources · hover to see the quote

url/repository/annotate?rev=`<command>`
path/repository/annotate
  • Detect HTTP GET requests to the Redmine repository annotate endpoint where the `rev` parameter contains backtick-wrapped shell command injection (e.g., rev=`<cmd>`).
  • Alert on GET requests to paths matching */repository/annotate* with a `rev` query parameter containing backtick characters (`` ` ``), which indicate OS command injection attempts.
  • The Metasploit exploit module uses a hardcoded User-Agent string 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' combined with the annotate endpoint — correlating this UA with the vulnerable path is a high-fidelity detection signal.
  • ·The exploit targets Redmine 0.9.x and 1.0.x before 1.0.5 specifically via the bazaar (SCM) repository adapter; the vulnerability only exists when a bazaar repository is configured for a project.
  • ·The Metasploit module defaults to targeting project URI '/projects/1/' — defenders should not limit detection scope to only this path, as attackers can supply any valid project URI.
  • ·The payload is URI-encoded before injection into the rev parameter; detection rules must account for URL-encoded backtick characters (%60) as well as literal backticks.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.