CVE-2018-14912
published 2018-08-03CVE-2018-14912: cgit_clone_objects in CGit before 1.2.1 has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a…
PriorityP182high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
93.19%
99.8th percentile
cgit_clone_objects in CGit before 1.2.1 has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cgit_project | cgit | < 1.2.1 | 1.2.1 |
| cgit_project | cgit | >= 0 < 1.1+git2.10.2-3.1 | 1.1+git2.10.2-3.1 |
| cgit_project | cgit | >= 0 < 1.1+git2.10.2-3.1 | 1.1+git2.10.2-3.1 |
| cgit_project | cgit | >= 0 < 1.1+git2.10.2-3.1 | 1.1+git2.10.2-3.1 |
| cgit_project | cgit | >= 0 < 1.1+git2.10.2-3.1 | 1.1+git2.10.2-3.1 |
| debian | cgit | < cgit 1.1+git2.10.2-3.1 (bookworm) | cgit 1.1+git2.10.2-3.1 (bookworm) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for HTTP GET requests to the cgit objects endpoint with a `path` query parameter containing directory traversal sequences (`../`). The canonical PoC pattern is `/cgit/cgit.cgi/<repo>/objects/?path=../`. ↗
- →The Metasploit module constructs the traversal by repeating `../` a configurable number of times (default depth 10) in the `path` GET parameter against the `/objects/` endpoint. ↗
- →The vulnerability is only reachable when `enable-http-clone=1` is set (the default). Detections should focus on cgit instances where this flag is active. ↗
- →Successful exploitation returns HTTP 200 with the content of the requested file. Alert on HTTP 200 responses to requests containing `objects/?path=` with traversal sequences. ↗
- →Use Shodan/FOFA to identify exposed cgit instances as attack surface: search for `http.title:"git repository browser"` or `title="git repository browser"`. ↗
- →Google dork for exposed cgit instances: `intitle:"git repository browser"`. ↗
- ·The vulnerability is only exploitable when `enable-http-clone=1` is set in cgitrc. This is the default configuration, meaning most unpatched cgit deployments are vulnerable out of the box. ↗
- ·Setting `enable-http-clone=0` in `/etc/cgitrc` mitigates the issue without patching, but the cgit cache must also be manually cleared or the 5-minute TTL must expire for the mitigation to take effect. ↗
- ·The vulnerability has existed since cgit-0.8 (commit 02a545e63, from 2008), meaning a very wide range of historical versions are affected. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-46c3-xc8j-9qg7: cgit_clone_objects in CGit before 1
ghsa_unreviewed·2022-05-14
CVE-2018-14912 [HIGH] CWE-22 GHSA-46c3-xc8j-9qg7: cgit_clone_objects in CGit before 1
cgit_clone_objects in CGit before 1.2.1 has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.
OSV
CVE-2018-14912: cgit_clone_objects in CGit before 1
osv·2018-08-03·CVSS 7.5
CVE-2018-14912 [HIGH] CVE-2018-14912: cgit_clone_objects in CGit before 1
cgit_clone_objects in CGit before 1.2.1 has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.
VulnCheck
cgit_project cgit Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2018·CVSS 7.5
CVE-2018-14912 [HIGH] cgit_project cgit Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
cgit_project cgit Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
cgit_clone_objects in CGit before 1.2.1 has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.
Affected: cgit_project cgit
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-26&host_type=src&vulnerability=cve-2018-14912; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-04&host_type=src&vulnerability=cve-2018-14912; https://dashboard.shadowserver.o
Debian
CVE-2018-14912: cgit - cgit_clone_objects in CGit before 1.2.1 has a directory traversal vulnerability ...
vendor_debian·2018·CVSS 7.5
CVE-2018-14912 [HIGH] CVE-2018-14912: cgit - cgit_clone_objects in CGit before 1.2.1 has a directory traversal vulnerability ...
cgit_clone_objects in CGit before 1.2.1 has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.
Scope: local
bookworm: resolved (fixed in 1.1+git2.10.2-3.1)
bullseye: resolved (fixed in 1.1+git2.10.2-3.1)
forky: resolved (fixed in 1.1+git2.10.2-3.1)
sid: resolved (fixed in 1.1+git2.10.2-3.1)
trixie: resolved (fixed in 1.1+git2.10.2-3.1)
No detection rules found.
Exploit-DB
cgit 1.2.1 - Directory Traversal (Metasploit)
exploitdb·2018-08-14·CVSS 7.5
CVE-2018-14912 [HIGH] cgit 1.2.1 - Directory Traversal (Metasploit)
cgit 1.2.1 - Directory Traversal (Metasploit)
---
# Title: cgit 1.2.1 - Directory Traversal (Metasploit)
# Author: Dhiraj Mishra
# Software: cgit
# Link: https://git.zx2c4.com/cgit/
# Date: 2018-08-14
# CVE: CVE-2018-14912
# This module exploits a directory traversal vulnerability which exists
# in cgit 'cgit Directory Traversal',
'Description' => %q{
This module exploits a directory traversal vulnerability which
exists in cgit
[
['CVE', '2018-14912'],
['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1627'],
['EDB', '45148']
],
'Author' =>
[
'Google Project Zero', # Vulnerability discovery
'Dhiraj Mishra' # Metasploit module
],
'DisclosureDate' => 'Aug 03 2018',
'License' => MSF_LICENSE
))
register_options(
[
OptString.new('FILEPATH', [true, "The path to the file to re
Nuclei
cgit < 1.2.1 - Directory Traversal
nuclei·CVSS 7.5
CVE-2018-14912 [HIGH] cgit < 1.2.1 - Directory Traversal
cgit < 1.2.1 - Directory Traversal
cGit < 1.2.1 via cgit_clone_objects has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.
Template:
id: CVE-2018-14912
info:
name: cgit < 1.2.1 - Directory Traversal
author: 0x_Akoko
severity: high
description: cGit < 1.2.1 via cgit_clone_objects has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.
impact: |
Unauthenticated attackers can access arbitrary files on the server through path traversal in cgit when HTTP clone functionality is enabled, potentially exposing sensitive repository data, source code, configuration files, and credentials.
remediation: |
Metasploit
cgit Directory Traversal
metasploit
cgit Directory Traversal
cgit Directory Traversal
This module exploits a directory traversal vulnerability which exists in cgit < 1.2.1 cgit_clone_objects(), reachable when the configuration flag enable-http-clone is set to 1 (default).
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bugzilla
CVE-2018-14912 cgit: directory traversal vulnerability in cgit < 1.2.1
bugzilla·2018-08-03·CVSS 7.5
CVE-2018-14912 [HIGH] CVE-2018-14912 cgit: directory traversal vulnerability in cgit < 1.2.1
CVE-2018-14912 cgit: directory traversal vulnerability in cgit < 1.2.1
A directory traversal vulnerability was discovered in cgit prior to 1.2.1. The issue dates back to cgit-0.8 (commit https://git.zx2c4.com/cgit/commit/?id=02a545e63), from 2008.
When enable-http-clone is enabled (as it is by default), it is trivial to retrieve any file readable by the webserver account. For example, with cgit serving a repository in /var/lib/git, the following URL can be used to read /etc/passwd:
http://localhost/cgit/git.git/objects/?path=../../../../../etc/passwd
Setting enable-http-clone=0 in /etc/cgitrc can be used to mitigate the issue.
Note: the cgit cache must be manually cleared or the 5 minute TTL must expire regardless of whether the above mitigation is used or the patched packages are dep
https://bugs.chromium.org/p/project-zero/issues/detail?id=1627https://lists.debian.org/debian-lts-announce/2018/08/msg00005.htmlhttps://lists.zx2c4.com/pipermail/cgit/2018-August/004176.htmlhttps://www.debian.org/security/2018/dsa-4263https://www.exploit-db.com/exploits/45195/https://bugs.chromium.org/p/project-zero/issues/detail?id=1627https://lists.debian.org/debian-lts-announce/2018/08/msg00005.htmlhttps://lists.zx2c4.com/pipermail/cgit/2018-August/004176.htmlhttps://www.debian.org/security/2018/dsa-4263https://www.exploit-db.com/exploits/45195/
2018-08-03
Published
Exploited in the wild