Description A security issue has been reported in gitolite, which can be exploited by malicious users to bypass certain security restrictions. The security issue is caused due to an error when handling certain actions and can be exploited to e.g. perform actions with the privileges of the gitolite server via directory traversal attacks. Successful exploitation requires using wild card repositories and allowing to match "../" string patterns. The security issue is reported in version 3.x. Solution Fixed in the source code repository. Provided and/or discovered by The vendor credits Stephane. Original Advisory https://groups.google.com/forum/#!topic/gitolite/K9SnQNhCQ-0/discussion[1-25]
gitolite-3.1 has just been committed.
(In reply to comment #1) > gitolite-3.1 has just been committed. Is that vulnerability reproducible in the 2.x version too?
(In reply to comment #2) > (In reply to comment #1) > > gitolite-3.1 has just been committed. > > Is that vulnerability reproducible in the 2.x version too? It's not known to be affected.
thanks, fixed.