cbcvebase.
CVE-2018-14912
published 2018-08-03

CVE-2018-14912: cgit_clone_objects in CGit before 1.2.1 has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a…

PriorityP182high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
93.19%
99.8th percentile
cgit_clone_objects in CGit before 1.2.1 has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.

Affected

8 ranges
VendorProductVersion rangeFixed in
cgit_projectcgit< 1.2.11.2.1
cgit_projectcgit>= 0 < 1.1+git2.10.2-3.11.1+git2.10.2-3.1
cgit_projectcgit>= 0 < 1.1+git2.10.2-3.11.1+git2.10.2-3.1
cgit_projectcgit>= 0 < 1.1+git2.10.2-3.11.1+git2.10.2-3.1
cgit_projectcgit>= 0 < 1.1+git2.10.2-3.11.1+git2.10.2-3.1
debiancgit< cgit 1.1+git2.10.2-3.1 (bookworm)cgit 1.1+git2.10.2-3.1 (bookworm)
debiandebian_linux
debiandebian_linux

Detection & IOCsextracted from sources · hover to see the quote

urlcgit/cgit.cgi/git/objects/?path=../
url{{BaseURL}}/cgit/cgit.cgi/git/objects/?path=../../../../../../../etc/passwd
urlhttp://localhost/cgit/git.git/objects/?path=../../../../../etc/passwd
path/cgit/cgit.cgi/git/objects/
  • Look for HTTP GET requests to the cgit objects endpoint with a `path` query parameter containing directory traversal sequences (`../`). The canonical PoC pattern is `/cgit/cgit.cgi/<repo>/objects/?path=../`.
  • The Metasploit module constructs the traversal by repeating `../` a configurable number of times (default depth 10) in the `path` GET parameter against the `/objects/` endpoint.
  • The vulnerability is only reachable when `enable-http-clone=1` is set (the default). Detections should focus on cgit instances where this flag is active.
  • Successful exploitation returns HTTP 200 with the content of the requested file. Alert on HTTP 200 responses to requests containing `objects/?path=` with traversal sequences.
  • Use Shodan/FOFA to identify exposed cgit instances as attack surface: search for `http.title:"git repository browser"` or `title="git repository browser"`.
  • Google dork for exposed cgit instances: `intitle:"git repository browser"`.
  • ·The vulnerability is only exploitable when `enable-http-clone=1` is set in cgitrc. This is the default configuration, meaning most unpatched cgit deployments are vulnerable out of the box.
  • ·Setting `enable-http-clone=0` in `/etc/cgitrc` mitigates the issue without patching, but the cgit cache must also be manually cleared or the 5-minute TTL must expire for the mitigation to take effect.
  • ·The vulnerability has existed since cgit-0.8 (commit 02a545e63, from 2008), meaning a very wide range of historical versions are affected.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.