-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CVE-2024-39930, CVE-2024-39932, CVE-2024-39933 Co-authored-by: Stefan Schiller <[email protected]>
- Loading branch information
1 parent
e100329
commit 07ff199
Showing
3 changed files
with
49 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| --- | ||
| functions: | ||
| command: | ||
| - description: | | ||
| The `--split-string` allows multiple additional arguments to be supplied. The first | ||
| positional argument not containing an equals sign (`=`) will be executed as a | ||
| command, all following arguments are passed to that command as arguments. | ||
| code: |- | ||
| env '--split-string=sh -c "id > /tmp/pwned"' foo | ||
| references: | ||
| - title: "Securing Developer Tools: Unpatched Code Vulnerabilities in Gogs (1/2)" | ||
| url: https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1/ | ||
| - title: "CVE-2024-39930" | ||
| url: https://nvd.nist.gov/vuln/detail/CVE-2024-39930 | ||
| --- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| --- | ||
| functions: | ||
| command: | ||
| - description: | | ||
| `git diff` supports the (undocumented) option `--output`, but if no other positional | ||
| parameters are present, the destination file can only be created or truncated. | ||
| If the Git repository is controlled, planting a bare repository at the top-level | ||
| with a malicious configuration (e.g. `core.fsmonitor`), truncating `.git/config` | ||
| and then running another Git command is enough to gain code execution. | ||
| code: |- | ||
| git diff '--output=.git/config' | ||
| git status | ||
| references: | ||
| - title: "Securing Developer Tools: Unpatched Code Vulnerabilities in Gogs (2/2)" | ||
| url: https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-2/ | ||
| - title: "CVE-2024-39932" | ||
| url: https://nvd.nist.gov/vuln/detail/CVE-2024-39932 | ||
| --- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| --- | ||
| functions: | ||
| file-read: | ||
| - description: | | ||
| `git tag` supports the option `--file` to read the tag message from a file. To | ||
| retrieve the file contents later, you need to have access to tags and their tag | ||
| messages. This might be possible within the target application or by cloning | ||
| the repo and manually extracting the tag message via | ||
| `git cat-file -p refs/tags/<tagname>` | ||
| code: |- | ||
| git tag '--file=/etc/passwd' main | ||
| git cat-file -p refs/tags/<tagname> | ||
| references: | ||
| - title: "CVE-2024-39933" | ||
| url: https://nvd.nist.gov/vuln/detail/CVE-2024-39933 | ||
| --- |