CVE-2008-5916
First published: Wed Jan 21 2009(Updated: )
gitweb/gitweb.perl in gitweb in Git 1.6.x before 1.6.0.6, 1.5.6.x before 1.5.6.6, 1.5.5.x before 1.5.5.6, 1.5.4.x before 1.5.4.7, and other versions after 1.4.3 allows local repository owners to execute arbitrary commands by modifying the diff.external configuration variable and executing a crafted gitweb query.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Git | =1.5.4-rc1.1136.g2794 | |
| Git | =1.5.0.7 | |
| Git | =1.5.5 | |
| Git | =1.5.6.5 | |
| Git | =1.5.0-rc4 | |
| Git | =1.5.0.3 | |
| Git | =1.5.2.5 | |
| Git | =1.5.1.4 | |
| Git | =1.5.3.1 | |
| Git | =1.5.4-rc2 | |
| Git | =1.5.4.1 | |
| Git | =1.5.6.3 | |
| Git | =1.5.6.4 | |
| Git | =1.6.0.3 | |
| Git | =1.6.0.2 | |
| Git | =1.5.3.3 | |
| Git | =1.5.1.3 | |
| Git | =1.5.5.4 | |
| Git | =1.4.4.1 | |
| Git | =1.5.3-rc4 | |
| Git | =1.5.2.3 | |
| Git | =1.5.3.8 | |
| Git | =1.5.5.1 | |
| Git | =1.4.3.3 | |
| Git | =1.6.0 | |
| Git | =1.5.2.1 | |
| Git | =1.5.4.3 | |
| Git | =1.6.0-rc1 | |
| Git | =1.5.5-rc2 | |
| Git | =1.5.1.5 | |
| Git | =1.5.4.6 | |
| Git | =1.5.5.3 | |
| Git | =1.5.4-rc3 | |
| Git | =1.5.3-rc7 | |
| Git | =1.5.3.5 | |
| Git | =1.5.5.3-r1 | |
| Git | =1.4.3.1 | |
| Git | =1.5.3-rc5 | |
| Git | =1.5.2.2 | |
| Git | =1.6.0-rc3 | |
| Git | =1.5.0.2 | |
| Git | =1.5.4-rc1 | |
| Git | =1.5.0.1 | |
| Git | =1.5.0.4 | |
| Git | =1.5.5-rc3 | |
| Git | =1.6.0.5 | |
| Git | =1.6.0-rc2 | |
| Git | =1.5.4 | |
| Git | =1.5.5.2 | |
| Git | =1.5.2.4 | |
| Git | =1.4.4 | |
| Git | =1.4.4.3 | |
| Git | =1.5.0 | |
| Git | =1.4.3.2 | |
| Git | =1.5.6 | |
| Git | =1.5.1.1 | |
| Git | =1.4.4.4 | |
| Git | =1.5.2 | |
| Git | =1.6.0.1 | |
| Git | =1.5.0.6 | |
| Git | =1.5.4.4 | |
| Git | =1.5.4.2 | |
| Git | =1.5.1.2 | |
| Git | =1.5.1 | |
| Git | =1.5.4-rc0 | |
| Git | =1.5.3.2 | |
| Git | =1.5.5-rc1 | |
| Git | =1.5.0.5 | |
| Git | =1.4.3.4 | |
| Git | =1.4.3.5 | |
| Git | =1.5.0-rc3 | |
| Git | =1.5.4-rc4 | |
| Git | =1.5.3.4 | |
| Git | =1.5.1.6 | |
| Git | =1.4.4.2 | |
| Git | =1.5.3 | |
| Git | =1.6.0.4 | |
| Git | =1.5.4.5 | |
| Git | =1.5.3.6 | |
| Git | =1.5.0-rc2 | |
| Git | =1.5.3.7 | |
| Git | =1.5.6.1 | |
| Git | =1.5.4-rc5 | |
| Git | =1.5.6.2 | |
| Git | =1.5.5.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://marc.info/?l=git&m=122975564100860&w=2
- http://www.openwall.com/lists/oss-security/2009/01/15/2
- http://www.openwall.com/lists/oss-security/2009/01/20/2
- http://marc.info/?l=linux-kernel&m=122975564100863&w=2:
- http://securityreason.com/securityalert/4922
- http://www.ubuntu.com/usn/USN-723-1
- http://secunia.com/advisories/33964
- http://secunia.com/advisories/34194
- http://www.gentoo.org/security/en/glsa/glsa-200903-15.xml
- https://www.redhat.com/archives/fedora-package-announce/2008-December/msg01170.html
- http://secunia.com/advisories/33282
- http://osvdb.org/50918
- https://www.redhat.com/archives/fedora-package-announce/2008-December/msg01169.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/47528
Frequently Asked Questions
What is the severity of CVE-2008-5916?
CVE-2008-5916 has a high severity level as it allows local repository owners to execute arbitrary commands remotely.
How do I fix CVE-2008-5916?
To fix CVE-2008-5916, you should upgrade Git to a version that addresses this vulnerability, ideally 1.6.0.6 or later.
What versions of Git are affected by CVE-2008-5916?
CVE-2008-5916 affects multiple versions of Git prior to 1.6.0.6, including several releases in the 1.5.x and 1.4.x series.
Can CVE-2008-5916 be exploited remotely?
No, CVE-2008-5916 can only be exploited locally by the repository owner modifying their configuration.
What is the recommended mitigation for CVE-2008-5916?
The best mitigation for CVE-2008-5916 is to restrict access to the Git repositories and ensure only trusted users can modify configurations.
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/git
- canonical/git
- version/git/1.5.4-rc1.1136.g2794
- version/git/1.5.0.7
- version/git/1.5.5
- version/git/1.5.6.5
- version/git/1.5.0-rc4
- version/git/1.5.0.3
- version/git/1.5.2.5
- version/git/1.5.1.4
- version/git/1.5.3.1
- version/git/1.5.4-rc2
- version/git/1.5.4.1
- version/git/1.5.6.3
- version/git/1.5.6.4
- version/git/1.6.0.3
- version/git/1.6.0.2
- version/git/1.5.3.3
- version/git/1.5.1.3
- version/git/1.5.5.4
- version/git/1.4.4.1
- version/git/1.5.3-rc4
- version/git/1.5.2.3
- version/git/1.5.3.8
- version/git/1.5.5.1
- version/git/1.4.3.3
- version/git/1.6.0
- version/git/1.5.2.1
- version/git/1.5.4.3
- version/git/1.6.0-rc1
- version/git/1.5.5-rc2
- version/git/1.5.1.5
- version/git/1.5.4.6
- version/git/1.5.5.3
- version/git/1.5.4-rc3
- version/git/1.5.3-rc7
- version/git/1.5.3.5
- version/git/1.5.5.3-r1
- version/git/1.4.3.1
- version/git/1.5.3-rc5
- version/git/1.5.2.2
- version/git/1.6.0-rc3
- version/git/1.5.0.2
- version/git/1.5.4-rc1
- version/git/1.5.0.1
- version/git/1.5.0.4
- version/git/1.5.5-rc3
- version/git/1.6.0.5
- version/git/1.6.0-rc2
- version/git/1.5.4
- version/git/1.5.5.2
- version/git/1.5.2.4
- version/git/1.4.4
- version/git/1.4.4.3
- version/git/1.5.0
- version/git/1.4.3.2
- version/git/1.5.6
- version/git/1.5.1.1
- version/git/1.4.4.4
- version/git/1.5.2
- version/git/1.6.0.1
- version/git/1.5.0.6
- version/git/1.5.4.4
- version/git/1.5.4.2
- version/git/1.5.1.2
- version/git/1.5.1
- version/git/1.5.4-rc0
- version/git/1.5.3.2
- version/git/1.5.5-rc1
- version/git/1.5.0.5
- version/git/1.4.3.4
- version/git/1.4.3.5
- version/git/1.5.0-rc3
- version/git/1.5.4-rc4
- version/git/1.5.3.4
- version/git/1.5.1.6
- version/git/1.4.4.2
- version/git/1.5.3
- version/git/1.6.0.4
- version/git/1.5.4.5
- version/git/1.5.3.6
- version/git/1.5.0-rc2
- version/git/1.5.3.7
- version/git/1.5.6.1
- version/git/1.5.4-rc5
- version/git/1.5.6.2
- version/git/1.5.5.5