cgit ‘Author’ Field Remote Denial of Service Vulnerability


cgit is prone to a remote denial-of-service vulnerability.


The information has been provided by Jim Meyering.


Vulnerable Systems:
 * cgit cgit and Prior

Attackers can exploit this issue to crash the affected application, denying service to legitimate users. Heap-based buffer overflow in the substr function in parsing.c in cgit and earlier allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via an empty username in the ‘Author’ field in a commit.

Some vulnerabilities has been reported in cgit, which can be exploited by malicious users to cause a DoS (Denial of Service) and compromise a vulnerable system. 1) An error when parsing the ‘Author’ field of a Git commit and can be exploited to cause a heap-based buffer overflow and crash the application. 2) An error in the script when processing the ‘–plug-in’ argument can be exploited to inject shell commands.

CVE Information:

Disclosure Timeline:
Published: Oct 01 2012 12:00AM
Updated: Oct 12 2012 06:40PM

Categories: News