CVE-2008-5516: OS Command Injection

Published Jan 12, 2009
·
Updated

Sebastian Krahmer of the SuSE security team discovered a remote command injection flaws in the gitweb, caused by an insufficient checking of the inputs used to build argument to perl's open() function. Remote attacker could use these flaws to run arbitrary commands with the privileges of the web server executing gitweb CGI scripts.

Issues are already fixed upstream in the latest git branches. It seems that the security consequences were not noticed when fixes were applied upstream, as multiple occurrences of the similar flaws were fixed in different upstream versions:

CVE-2008-5517 http://repo.or.cz/w/git.git?a=commitdiff;h=516381d5 (fixes issues in gitsnapshot and gitobject, first occurred in 1.5.6)

CVE-2008-5516 http://repo.or.cz/w/git.git?a=commitdiff;h=c582abae (fixes issue in gitsearch, first occurred in 1.5.5)

All current Fedora packages use version 1.5.6+, so neither of the issue apply to them. EPEL versions should be affected by one or both of the issues.

Other sources

The web interface in git (gitweb) 1.5.x before 1.5.5 allows remote attackers to execute arbitrary commands via shell metacharacters related to gitsearch.

Affected Software

117 affected components
Git Git=0.99.9j
Git Git=0.99.9k
Git Git=0.99.9l
Git Git=0.99.9m
Git Git=0.99.9n
Git Git=1.0.0
Git Git=1.0.0b
Git Git=1.0.3
Git Git=1.0.4
Git Git=1.0.5
Git Git=1.0.6
Git Git=1.0.7
Git Git=1.0.8
Git Git=1.1.1
Git Git=1.1.2
Git Git=1.1.3
Git Git=1.1.4
Git Git=1.1.5
Git Git=1.1.6
Git Git=1.2.0
Git Git=1.2.1
Git Git=1.2.2
Git Git=1.2.3
Git Git=1.2.4
Git Git=1.2.5
Git Git=1.2.6
Git Git=1.3.0
Git Git=1.3.1
Git Git=1.3.2
Git Git=1.3.3
Git Git=1.4.0
Git Git=1.4.1
Git Git=1.4.1.1
Git Git=1.4.2
Git Git=1.4.2.1
Git Git=1.4.2.2
Git Git=1.4.2.3
Git Git=1.4.2.4
Git Git=1.4.3
Git Git=1.4.3.1
Git Git=1.4.3.2
Git Git=1.4.3.3
Git Git=1.4.3.4
Git Git=1.4.3.5
Git Git=1.4.4
Git Git=1.4.4.1
Git Git=1.4.4.2
Git Git=1.4.4.3
Git Git=1.4.4.4
Git Git=1.5.0
Git Git=1.5.0-rc2
Git Git=1.5.0-rc3
Git Git=1.5.0-rc4
Git Git=1.5.0.1
Git Git=1.5.0.2
Git Git=1.5.0.3
Git Git=1.5.0.4
Git Git=1.5.0.5
Git Git=1.5.0.6
Git Git=1.5.0.7
Git Git=1.5.1
Git Git=1.5.1.1
Git Git=1.5.1.2
Git Git=1.5.1.3
Git Git=1.5.1.4
Git Git=1.5.1.5
Git Git=1.5.1.6
Git Git=1.5.2
Git Git=1.5.2.1
Git Git=1.5.2.2
Git Git=1.5.2.3
Git Git=1.5.2.4
Git Git=1.5.2.5
Git Git=1.5.3
Git Git=1.5.3-rc4
Git Git=1.5.3-rc5
Git Git=1.5.3-rc7
Git Git=1.5.3.1
Git Git=1.5.3.2
Git Git=1.5.3.3
Git Git=1.5.3.4
Git Git=1.5.3.5
Git Git=1.5.3.6
Git Git=1.5.3.7
Git Git=1.5.3.8
Git Git=1.5.4
Git Git=1.5.4-rc0
Git Git=1.5.4-rc1
Git Git=1.5.4-rc1.1136.g2794
Git Git=1.5.4-rc2
Git Git=1.5.4-rc3
Git Git=1.5.4-rc4
Git Git=1.5.4-rc5
Git Git=1.5.4.1
Git Git=1.5.4.2
Git Git=1.5.4.3
Git Git=1.5.4.4
Git Git=1.5.4.5
Git Git=1.5.4.6
Git Git=1.5.4.7
Git Git=1.5.5
Git Git=1.5.5-rc1
Git Git=1.5.5-rc2
Git Git=1.5.5-rc3
Git Git=1.5.5.1
Git Git=1.5.5.2
Git Git=1.5.5.3
Git Git=1.5.5.4
Git Git=1.5.5.5
Git Git=1.5.5.6
Git Git=1.5.6.1
Git Git=1.5.6.2
Git Git=1.5.6.3
Git Git=1.5.6.4
git-scm Git=0.6.0
git-scm Git=0.7.0
rPath Linux=2

Event History

Jan 12, 2009
Data Sourced
via Red Hat·04:48 PM
DescriptionSeverityAffected Software
Jan 20, 2009
CVE Published
via MITRE·04:00 PM
Data Sourced
via MITRE·04:00 PM
Description
Data Sourced
04:30 PM
DescriptionWeaknessAffected Software
Jan 12, 2024
Data Sourced
via Red Hat·12:22 PM
Remedy
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2008-5516?

CVE-2008-5516 has a moderate severity rating due to its ability to allow remote command execution.

2

How do I fix CVE-2008-5516?

To fix CVE-2008-5516, upgrade to versions of git and gitweb that are 1.5.5 or above to eliminate the vulnerability.

3

What versions of Git are affected by CVE-2008-5516?

CVE-2008-5516 affects Git versions from 1.5.0 to 1.5.4, including pre-release versions.

4

What type of attack does CVE-2008-5516 allow?

CVE-2008-5516 allows attackers to perform remote command execution via shell metacharacters.

5

Is there a known exploit for CVE-2008-5516?

There are known exploitation techniques for CVE-2008-5516 that can lead to unauthorized command execution.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203