GitLab Remote code execution vulnerability in the SSH key upload

Credit: Nigel Kukard
Risk: High
Local: No
Remote: Yes
CWE: CWE-Other

CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Remote code execution vulnerability in the SSH key upload feature of GitLab There is a remote code execution vulnerability in the SSH key upload feature of GitLab. This vulnerability has been assigned the CVE identifier CVE-2013-4490. Versions affected: 5.0, 5.1, 5.2, 5.3, 5.4, 6.0, 6.1, 6.2 Not affected: 4.2 and earlier Fixed versions: 5.4.1, 6.2.3 ### Impact The gitlab-shell SSH access endpoint manages the authorized_keys file for the git user. When a user adds a public key using the GitLab web interface a gitlab-shell command is invoked to add the public key to authorized_keys. In affected versions, the public key text entered by the user is exposed to the Bourne shell in a way that can be exploited to achieve code execution as the git user. Only authenticated users can upload an SSH key. All users running an affected release should upgrade gitlab-shell immediately. ### Releases Gitlab-shell 1.7.4, available from, fixes the vulnerability and has been tested with GitLab 5.4.1 and GitLab 6.2.3. ### Workarounds If you are using GitLab 5.0 or newer and you cannot upgrade to GitLab 5.4.1 or GitLab 6.2.3 you should apply the following edit to gitlab-shell. - --- a/lib/gitlab_keys.rb +++ b/lib/gitlab_keys.rb @@ -29,8 +29,7 @@ class GitlabKeys def add_key $ "Adding key #{@key_id} => #{@key.inspect}" cmd = "command=\"#{ROOT_PATH}/bin/gitlab-shell #{@key_id}\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty #{@key}" - - cmd = "echo \'#{cmd}\' >> #{auth_file}" - - system(cmd) + open(auth_file, 'a') { |file| file.puts(cmd) } end def rm_key ### Credits Thanks to Nigel Kukard of for reporting the vulnerability to us.

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019,


Back to Top