Malicious users may access any Git repository on the server even if it is outside the served root directory.
Master branch. Windows OS (should work on Linux too).
Function resolveRepositoryPath doesn’t validate user input
git-server serves Git repositories over http(s) from a configured root directory
repoRoot. The only option to access repositories outside the
repoRoot is to set ‘virtual’ repository paths in the server configuration file.
resolveRepositoryPath doesn’t properly validate user input and a malicious user may traverse to any valid Git repository outside the
This issue may lead to an unauthorized access to private Git repositories.
Coordinated Disclosure Timeline
- 09/07/2020: Report sent to Vendor
- 09/07/2020: Vendor acknowledges
- 23/07/2020: Fixed in v1.3.1
- 11/08/2020: CVE-2020-9708 assigned.
- 11/08/2020: Advisory released.
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
You can contact the GHSL team at
email@example.com, please include a reference to
GHSL-2020-133 in any communication regarding this issue.