GHSL-2020-133: Path traversal vulnerability in Adobe git-server - CVE-2020-9708

Summary

Malicious users may access any Git repository on the server even if it is outside the served root directory.

Product

git-server

Tested Version

Master branch. Windows OS (should work on Linux too).

Details

Function resolveRepositoryPath doesn’t validate user input

git-server serves Git repositories over http(s) from a configured root directory repoRoot. The only option to access repositories outside the repoRoot is to set ‘virtual’ repository paths in the server configuration file.

However resolveRepositoryPath doesn’t properly validate user input and a malicious user may traverse to any valid Git repository outside the repoRoot.

Impact

This issue may lead to an unauthorized access to private Git repositories.

CVE

CVE-2020-9708

Coordinated Disclosure Timeline

• 09/07/2020: Report sent to Vendor
• 09/07/2020: Vendor acknowledges
• 23/07/2020: Fixed in v1.3.1
• 11/08/2020: CVE-2020-9708 assigned.
• 11/08/2020: Advisory released.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-133 in any communication regarding this issue.