CVE-2018-20683 - OpenCVE

commands/rsync in Gitolite before 3.6.11, if .gitolite.rc enables rsync, mishandles the rsync command line, which allows attackers to have a "bad" impact by triggering use of an option other than -v, -n, -q, or -P.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Gitolite	Gitolite

Configuration 1 [-]

cpe:2.3:a:gitolite:gitolite:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://bugs.debian.org/918849
https://github.com/sitaramc/gitolite/blob/master/CHANGELOG
https://github.com/sitaramc/gitolite/commit/5df2b817255ee919991da6c310239e08c8fcc1ae
https://groups.google.com/forum/#%21topic/gitolite-announce/6xbjjmpLePQ

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-01-10T01:00:00

Updated: 2024-08-05T12:05:17.632Z

Reserved: 2019-01-09T00:00:00

Link: CVE-2018-20683

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-01-10T01:29:00.237

Modified: 2023-11-07T02:56:20.210

Link: CVE-2018-20683

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-01-09T00:00:00", "descriptions": [{"lang": "en", "value": "commands/rsync in Gitolite before 3.6.11, if .gitolite.rc enables rsync, mishandles the rsync command line, which allows attackers to have a \"bad\" impact by triggering use of an option other than -v, -n, -q, or -P."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-01-10T01:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/sitaramc/gitolite/commit/5df2b817255ee919991da6c310239e08c8fcc1ae"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.debian.org/918849"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/sitaramc/gitolite/blob/master/CHANGELOG"}, {"tags": ["x_refsource_MISC"], "url": "https://groups.google.com/forum/#%21topic/gitolite-announce/6xbjjmpLePQ"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-20683", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "commands/rsync in Gitolite before 3.6.11, if .gitolite.rc enables rsync, mishandles the rsync command line, which allows attackers to have a \"bad\" impact by triggering use of an option other than -v, -n, -q, or -P."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/sitaramc/gitolite/commit/5df2b817255ee919991da6c310239e08c8fcc1ae", "refsource": "MISC", "url": "https://github.com/sitaramc/gitolite/commit/5df2b817255ee919991da6c310239e08c8fcc1ae"}, {"name": "https://bugs.debian.org/918849", "refsource": "MISC", "url": "https://bugs.debian.org/918849"}, {"name": "https://github.com/sitaramc/gitolite/blob/master/CHANGELOG", "refsource": "MISC", "url": "https://github.com/sitaramc/gitolite/blob/master/CHANGELOG"}, {"name": "https://groups.google.com/forum/#!topic/gitolite-announce/6xbjjmpLePQ", "refsource": "MISC", "url": "https://groups.google.com/forum/#!topic/gitolite-announce/6xbjjmpLePQ"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T12:05:17.632Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/sitaramc/gitolite/commit/5df2b817255ee919991da6c310239e08c8fcc1ae"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.debian.org/918849"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/sitaramc/gitolite/blob/master/CHANGELOG"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://groups.google.com/forum/#%21topic/gitolite-announce/6xbjjmpLePQ"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-20683", "datePublished": "2019-01-10T01:00:00", "dateReserved": "2019-01-09T00:00:00", "dateUpdated": "2024-08-05T12:05:17.632Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitolite:gitolite:*:*:*:*:*:*:*:*", "matchCriteriaId": "28CA908F-A705-45C3-B4B8-A575E9265101", "versionEndExcluding": "3.6.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "commands/rsync in Gitolite before 3.6.11, if .gitolite.rc enables rsync, mishandles the rsync command line, which allows attackers to have a \"bad\" impact by triggering use of an option other than -v, -n, -q, or -P."}, {"lang": "es", "value": "commands/rsync en Gitolite, en versiones anteriores a la 3.6.11, si .gitolite.rc habilita rsync, gestiona de manera incorrecta la l\u00ednea de comandos de rsync, lo que permite que los atacantes provoquen un \"mal\" impacto desencadenando el uso de una opci\u00f3n diferente de -v, -n, -q o -P."}], "id": "CVE-2018-20683", "lastModified": "2023-11-07T02:56:20.210", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-01-10T01:29:00.237", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugs.debian.org/918849"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/sitaramc/gitolite/blob/master/CHANGELOG"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/sitaramc/gitolite/commit/5df2b817255ee919991da6c310239e08c8fcc1ae"}, {"source": "cve@mitre.org", "url": "https://groups.google.com/forum/#%21topic/gitolite-announce/6xbjjmpLePQ"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}