CVE-2018-19585
published 2019-05-17CVE-2018-19585: GitLab CE/EE versions 8.18 up to 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1 have CRLF Injection in Project Mirroring when using the…
PriorityP260high7.5CVSS 3.0
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
14.51%
96.2th percentile
GitLab CE/EE versions 8.18 up to 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1 have CRLF Injection in Project Mirroring when using the Git protocol.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 11.3.11+dfsg-1 (sid) | gitlab 11.3.11+dfsg-1 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 11.4.0 < 11.4.8 | 11.4.8 |
| gitlab | gitlab | >= 11.5.0 < 11.5.1 | 11.5.1 |
| gitlab | gitlab | >= 8.18.0 < 11.3.11 | 11.3.11 |
| gitlab | gitlab_ce | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- ·Exploit requires authenticated access to GitLab; attacker must supply valid session cookie and authenticity_token obtained after login ↗
- ·The RCE chain combines CVE-2018-19571 (SSRF) with CVE-2018-19585 (CRLF Injection); both CVEs must be present for full exploitation ↗
- ·Affected versions span GitLab CE/EE 8.18 through 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1; fixed in Debian sid at 11.3.11+dfsg-1 ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GitLab
CVE-2018-19585: GitLab CE/EE versions 8.18 up to 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1 have CRLF Injection in Project Mirroring when usi
vendor_gitlab·2019-05-17·CVSS 7.5
CVE-2018-19585 [HIGH] CWE-93 CVE-2018-19585: GitLab CE/EE versions 8.18 up to 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1 have CRLF Injection in Project Mirroring when usi
CVE-2018-19585: GitLab CE/EE versions 8.18 up to 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1 have CRLF Injection in Project Mirroring when using the Git protocol.
Debian
CVE-2018-19585: gitlab - GitLab CE/EE versions 8.18 up to 11.x before 11.3.11, 11.4.x before 11.4.8, and ...
vendor_debian·2018·CVSS 7.5
CVE-2018-19585 [HIGH] CVE-2018-19585: gitlab - GitLab CE/EE versions 8.18 up to 11.x before 11.3.11, 11.4.x before 11.4.8, and ...
GitLab CE/EE versions 8.18 up to 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1 have CRLF Injection in Project Mirroring when using the Git protocol.
Scope: local
sid: resolved (fixed in 11.3.11+dfsg-1)
GHSA
GHSA-49rg-2gmx-qjmr: GitLab CE/EE versions 8
ghsa_unreviewed·2022-05-24
CVE-2018-19585 [HIGH] CWE-93 GHSA-49rg-2gmx-qjmr: GitLab CE/EE versions 8
GitLab CE/EE versions 8.18 up to 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1 have CRLF Injection in Project Mirroring when using the Git protocol.
No detection rules found.
Exploit-DB
GitLab 11.4.7 - RCE (Authenticated) (2)
exploitdb·2020-12-24·CVSS 7.7
CVE-2018-19585 [HIGH] GitLab 11.4.7 - RCE (Authenticated) (2)
GitLab 11.4.7 - RCE (Authenticated) (2)
---
# Exploit Title: GitLab 11.4.7 RCE (POC)
# Date: 24th December 2020
# Exploit Author: Norbert Hofmann
# Exploit Modifications: Sam Redmond, Tam Lai Yin
# Original Author: Mohin Paramasivam
# Software Link: https://gitlab.com/
# Environment: GitLab 11.4.7, community edition
# CVE: CVE-2018-19571 + CVE-2018-19585
#!/usr/bin/python3
import requests
from bs4 import BeautifulSoup
import argparse
import random
parser = argparse.ArgumentParser(description='GitLab 11.4.7 RCE')
parser.add_argument('-u', help='GitLab Username/Email', required=True)
parser.add_argument('-p', help='Gitlab Password', required=True)
parser.add_argument('-g', help='Gitlab URL (without port)', required=True)
parser.add_argument('-l', help='reverse shell ip', required=True)
Exploit-DB
GitLab 11.4.7 - Remote Code Execution (Authenticated) (1)
exploitdb·2020-12-14
CVE-2018-19585 GitLab 11.4.7 - Remote Code Execution (Authenticated) (1)
GitLab 11.4.7 - Remote Code Execution (Authenticated) (1)
---
# Exploit Title: Gitlab 11.4.7 - Remote Code Execution
# Date: 14-12-2020
# Exploit Author: Fortunato Lodari fox [at] thebrain [dot] net, foxlox
# Vendor Homepage: https://about.gitlab.com/
# POC: https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
# Tested On: Debian 10 + Apache/2.4.46 (Debian)
# Version: 11.4.7 community
import sys
import requests
import time
import random
import http.cookiejar
import os.path
from os import path
# Sign in GitLab 11.4.7 portal and get (using Burp or something other):
# authenticity_token
# authenticated cookies
# username
# specify localport and localip for reverse shell
username='aaaaaaaaaaaa'
authenticity_token='jpT/n1EoPwwWtiGu/+QKVQomofMNyqAQXY+iD2kVoRQoiQ
No writeups or analysis indexed.
http://packetstormsecurity.com/files/160516/GitLab-11.4.7-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/160699/GitLab-11.4.7-Remote-Code-Execution.htmlhttps://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/https://about.gitlab.com/blog/categories/releases/http://packetstormsecurity.com/files/160516/GitLab-11.4.7-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/160699/GitLab-11.4.7-Remote-Code-Execution.htmlhttps://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/https://about.gitlab.com/blog/categories/releases/
2019-05-17
Published