Vulnerability Description
Gitolite before 3.6.9 does not (in certain configurations involving @all or a regex) properly restrict access to a Git repository that is in the process of being migrated until the full set of migration steps has been completed. This can allow valid users to obtain unintended access.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gitolite | Gitolite | < 3.6.9 |
Related Weaknesses (CWE)
References
- https://bugs.debian.org/908699Mailing ListPatchThird Party Advisory
- https://github.com/sitaramc/gitolite/commit/dc13dfca8fdae5634bb0865f7e9822d2a268PatchThird Party Advisory
- https://groups.google.com/forum/#%21topic/gitolite-announce/WrwDTYdbfRg
- https://bugs.debian.org/908699Mailing ListPatchThird Party Advisory
- https://github.com/sitaramc/gitolite/commit/dc13dfca8fdae5634bb0865f7e9822d2a268PatchThird Party Advisory
- https://groups.google.com/forum/#%21topic/gitolite-announce/WrwDTYdbfRg
FAQ
What is CVE-2018-16976?
CVE-2018-16976 is a vulnerability with a CVSS score of 8.1 (HIGH). Gitolite before 3.6.9 does not (in certain configurations involving @all or a regex) properly restrict access to a Git repository that is in the process of being migrated until the full set of migrati...
How severe is CVE-2018-16976?
CVE-2018-16976 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-16976?
Check the references section above for vendor advisories and patch information. Affected products include: Gitolite Gitolite.