CVE-2011-4929
published 2012-10-08CVE-2011-4929: Unspecified vulnerability in the bazaar repository adapter in Redmine 0.9.x and 1.0.x before 1.0.5 allows remote attackers to execute arbitrary commands via…
PriorityP272high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
46.40%
98.7th percentile
Unspecified vulnerability in the bazaar repository adapter in Redmine 0.9.x and 1.0.x before 1.0.5 allows remote attackers to execute arbitrary commands via unknown vectors.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | redmine | < redmine 1.0.5-1 (bookworm) | redmine 1.0.5-1 (bookworm) |
| redmine | redmine | — | — |
| redmine | redmine | — | — |
| redmine | redmine | — | — |
| redmine | redmine | — | — |
| redmine | redmine | — | — |
| redmine | redmine | — | — |
| redmine | redmine | — | — |
| redmine | redmine | — | — |
| redmine | redmine | — | — |
| redmine | redmine | — | — |
| redmine | redmine | — | — |
| redmine | redmine | — | — |
| redmine | redmine | >= 0 < 1.0.5-1 | 1.0.5-1 |
| redmine | redmine | >= 0 < 1.0.5-1 | 1.0.5-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP GET requests to the Redmine repository annotate endpoint where the `rev` parameter contains backtick-wrapped shell command injection (e.g., rev=`<cmd>`). ↗
- →Alert on GET requests to paths matching */repository/annotate* with a `rev` query parameter containing backtick characters (`` ` ``), which indicate OS command injection attempts. ↗
- →The Metasploit exploit module uses a hardcoded User-Agent string 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' combined with the annotate endpoint — correlating this UA with the vulnerable path is a high-fidelity detection signal. ↗
- ·The exploit targets Redmine 0.9.x and 1.0.x before 1.0.5 specifically via the bazaar (SCM) repository adapter; the vulnerability only exists when a bazaar repository is configured for a project. ↗
- ·The Metasploit module defaults to targeting project URI '/projects/1/' — defenders should not limit detection scope to only this path, as attackers can supply any valid project URI. ↗
- ·The payload is URI-encoded before injection into the rev parameter; detection rules must account for URL-encoded backtick characters (%60) as well as literal backticks. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2011-4929: redmine - Unspecified vulnerability in the bazaar repository adapter in Redmine 0.9.x and ...
vendor_debian·2011·CVSS 7.5
CVE-2011-4929 [HIGH] CVE-2011-4929: redmine - Unspecified vulnerability in the bazaar repository adapter in Redmine 0.9.x and ...
Unspecified vulnerability in the bazaar repository adapter in Redmine 0.9.x and 1.0.x before 1.0.5 allows remote attackers to execute arbitrary commands via unknown vectors.
Scope: local
bookworm: resolved (fixed in 1.0.5-1)
sid: resolved (fixed in 1.0.5-1)
trixie: resolved (fixed in 1.0.5-1)
GHSA
GHSA-w2vv-gmgp-33q7: Unspecified vulnerability in the bazaar repository adapter in Redmine 0
ghsa_unreviewed·2022-05-17
CVE-2011-4929 [HIGH] GHSA-w2vv-gmgp-33q7: Unspecified vulnerability in the bazaar repository adapter in Redmine 0
Unspecified vulnerability in the bazaar repository adapter in Redmine 0.9.x and 1.0.x before 1.0.5 allows remote attackers to execute arbitrary commands via unknown vectors.
OSV
CVE-2011-4929: Unspecified vulnerability in the bazaar repository adapter in Redmine 0
osv·2012-10-08·CVSS 7.5
CVE-2011-4929 [HIGH] CVE-2011-4929: Unspecified vulnerability in the bazaar repository adapter in Redmine 0
Unspecified vulnerability in the bazaar repository adapter in Redmine 0.9.x and 1.0.x before 1.0.5 allows remote attackers to execute arbitrary commands via unknown vectors.
No detection rules found.
Exploit-DB
Redmine SCM Repository - Arbitrary Command Execution (Metasploit)
exploitdb·2010-12-19
CVE-2011-4929 Redmine SCM Repository - Arbitrary Command Execution (Metasploit)
Redmine SCM Repository - Arbitrary Command Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule 'Redmine SCM Repository Arbitrary Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in the
Redmine repository controller. The flaw is triggered when a rev parameter
is passed to the command line of the SCM tool without adequate filtering.
},
'Author' => [ 'joernchen ' ], #Phenoelit
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2011-4929'],
['OSVDB', '70090'],
['URL', 'http://www.redmine.org/news/49' ]
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 5
Metasploit
Redmine SCM Repository Arbitrary Command Execution
metasploit
Redmine SCM Repository Arbitrary Command Execution
Redmine SCM Repository Arbitrary Command Execution
This module exploits an arbitrary command execution vulnerability in the Redmine repository controller. The flaw is triggered when a rev parameter is passed to the command line of the SCM tool without adequate filtering.
No writeups or analysis indexed.
http://www.debian.org/security/2011/dsa-2261http://www.openwall.com/lists/oss-security/2012/01/06/5http://www.openwall.com/lists/oss-security/2012/01/06/7http://www.redmine.org/news/49http://www.debian.org/security/2011/dsa-2261http://www.openwall.com/lists/oss-security/2012/01/06/5http://www.openwall.com/lists/oss-security/2012/01/06/7http://www.redmine.org/news/49
2012-10-08
Published