CVE-2018-20683

Name
CVE-2018-20683
Description
commands/rsync in Gitolite before 3.6.11, if .gitolite.rc enables rsync, mishandles the rsync command line, which allows attackers to have a "bad" impact by triggering use of an option other than -v, -n, -q, or -P.
NVD Severity
high
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Third Party Advisory https://groups.google.com/forum/#!topic/gitolite-announce/6xbjjmpLePQ
Patch https://github.com/sitaramc/gitolite/commit/5df2b817255ee919991da6c310239e08c8fcc1ae
Third Party Advisory https://github.com/sitaramc/gitolite/blob/master/CHANGELOG
Issue Tracking https://bugs.debian.org/918849

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:gitolite:gitolite:*:*:*:*:*:*:*:* gitolite >= None < 3.6.11

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
gitolite edge-main 3.6.11-r0 None fixed
gitolite 3.22-main 3.6.11-r0 None fixed
gitolite 3.21-main 3.6.11-r0 None fixed
gitolite 3.20-main 3.6.11-r0 None fixed
gitolite 3.19-main 3.6.11-r0 None fixed
gitolite 3.18-main 3.6.11-r0 None fixed
gitolite 3.17-main 3.6.11-r0 None fixed
gitolite 3.12-main 3.6.11-r0 None fixed
gitolite 3.11-main 3.6.11-r0 None fixed
gitolite 3.10-main 3.6.11-r0 None fixed