Vulnerability Description
GitBucket 4.23.1 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands by exploiting weak secret token generation and insecure file upload functionality. Attackers can brute-force the Blowfish encryption key, upload a malicious JAR plugin via the git-lfs endpoint, and execute system commands through an exposed exploit endpoint.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://github.com/gitbucket/gitbucket
- https://security.szurek.pl/
- https://www.exploit-db.com/exploits/44668
- https://www.vulncheck.com/advisories/gitbucket-unauthenticated-remote-code-execu
FAQ
What is CVE-2018-25332?
CVE-2018-25332 is a vulnerability with a CVSS score of 9.8 (CRITICAL). GitBucket 4.23.1 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands by exploiting weak secret token generation and insecure file upload...
How severe is CVE-2018-25332?
CVE-2018-25332 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-25332?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.