ghsa-m445-w3xr-vp2f
Vulnerability from github
Published
2024-08-02 12:51
Modified
2024-08-07 19:26
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
soft-serve vulnerable to arbitrary code execution by crafting git-lfs requests
Details

Impact

Any servers using soft-serve server and git

Patches

0.7.5

Workarounds

None.

References

n/a.

It is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git.

The issue is that Soft Serve passes all environment variables given by the client to git subprocesses. This includes environment variables that control program execution, such as LD_PRELOAD.

This can be exploited to execute arbitrary code by, for example, uploading a malicious shared object file to Soft Serve via Git LFS (uploading it via LFS ensures that it is not compressed on disk and easier to work with). The file will be stored under its SHA256 hash, so it has a predictable name.

This file can then be referenced in LD_PRELOAD via a Soft Serve SSH session that causes git to be invoked. For example:

bash LD_PRELOAD=/.../data/lfs/1/objects/a2/b5/a2b585befededf5f95363d06d83655229e393b1b45f76d9f989a336668665a2f ssh server git-upload-pack repo

The example LFS file patches a shared library function called by git to execute a shell.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/charmbracelet/soft-serve"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-41956"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-02T12:51:12Z",
    "nvd_published_at": "2024-08-01T22:15:29Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nAny servers using soft-serve server and git\n\n### Patches\n\u003e0.7.5\n\n### Workarounds\nNone.\n\n### References\nn/a.\n\n---\n\nIt is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git.\n\nThe issue is that Soft Serve passes all environment variables given by the client to git subprocesses. This includes environment variables that control program execution, such as `LD_PRELOAD`.\n\nThis can be exploited to execute arbitrary code by, for example, uploading a malicious shared object file to Soft Serve via Git LFS (uploading it via LFS ensures that it is not compressed on disk and easier to work with). The file will be stored under its SHA256 hash, so it has a predictable name.\n\nThis file can then be referenced in `LD_PRELOAD` via a Soft Serve SSH session that causes git to be invoked. For example:\n\n```bash\nLD_PRELOAD=/.../data/lfs/1/objects/a2/b5/a2b585befededf5f95363d06d83655229e393b1b45f76d9f989a336668665a2f ssh server git-upload-pack repo\n```\n\nThe example LFS file patches a shared library function called by git to execute a shell.",
  "id": "GHSA-m445-w3xr-vp2f",
  "modified": "2024-08-07T19:26:34Z",
  "published": "2024-08-02T12:51:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-m445-w3xr-vp2f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41956"
    },
    {
      "type": "WEB",
      "url": "https://github.com/charmbracelet/soft-serve/commit/4daebdd422a6ba8c04162d023f8be355a8fe3184"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/charmbracelet/soft-serve"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-3019"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "soft-serve vulnerable to arbitrary code execution by crafting git-lfs requests"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.