Published: 13/05/2014 Updated: 14/05/2014
CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8
VMScore: 695
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Vulnerability Summary

The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell prior to 1.7.3, as used in GitLab 5.0 prior to 5.4.1 and 6.x prior to 6.2.3, allows remote authenticated users to execute arbitrary commands via shell metacharacters in the public key.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.
Vulnerable Product Search on Vulmon Subscribe to Product

gitlab gitlab 6.0.0

gitlab gitlab 6.2.0

gitlab gitlab 5.2.0

gitlab gitlab 5.0.1

gitlab gitlab-shell

gitlab gitlab-shell 1.4.0

gitlab gitlab-shell 1.2.0

gitlab gitlab-shell 1.7.1

gitlab gitlab-shell 1.7.0

gitlab gitlab-shell 1.6.0

gitlab gitlab-shell 1.5.0

gitlab gitlab 6.2.1

gitlab gitlab 5.1.0

gitlab gitlab 6.2.2

gitlab gitlab-shell 1.0.4

gitlab gitlab 6.1.0

gitlab gitlab-shell 1.1.0

gitlab gitlab 5.0.0

gitlab gitlab-shell 1.3.0

gitlab gitlab 5.3.0

gitlab gitlab 5.4.0


## # This module requires Metasploit: http//metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' require 'net/ssh' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {} ...

Metasploit Modules

Gitlab-shell Code Execution

This module takes advantage of the addition of authorized ssh keys in the gitlab-shell functionality of Gitlab. Versions of gitlab-shell prior to 1.7.4 used the ssh key provided directly in a system call resulting in a command injection vulnerability. As this relies on adding an ssh key to an account, valid credentials are required to exploit this vulnerability.

msf > use exploit/multi/http/gitlab_shell_exec
      msf exploit(gitlab_shell_exec) > show targets
      msf exploit(gitlab_shell_exec) > set TARGET <target-id>
      msf exploit(gitlab_shell_exec) > show options
            ...show and set options...
      msf exploit(gitlab_shell_exec) > exploit