Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tNDQ1LXczeHItdnAyZs4AA-WG
soft-serve vulnerable to arbitrary code execution by crafting git-lfs requests
Impact
Any servers using soft-serve server and git
Patches
0.7.5
Workarounds
None.
References
n/a.
It is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git.
The issue is that Soft Serve passes all environment variables given by the client to git subprocesses. This includes environment variables that control program execution, such as LD_PRELOAD.
This can be exploited to execute arbitrary code by, for example, uploading a malicious shared object file to Soft Serve via Git LFS (uploading it via LFS ensures that it is not compressed on disk and easier to work with). The file will be stored under its SHA256 hash, so it has a predictable name.
This file can then be referenced in LD_PRELOAD via a Soft Serve SSH session that causes git to be invoked. For example:
LD_PRELOAD=/.../data/lfs/1/objects/a2/b5/a2b585befededf5f95363d06d83655229e393b1b45f76d9f989a336668665a2f ssh server git-upload-pack repo
The example LFS file patches a shared library function called by git to execute a shell.
Permalink: https://github.com/advisories/GHSA-m445-w3xr-vp2fJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tNDQ1LXczeHItdnAyZs4AA-WG
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 months ago
Updated: about 1 month ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-m445-w3xr-vp2f, CVE-2024-41956
References:
- https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-m445-w3xr-vp2f
- https://nvd.nist.gov/vuln/detail/CVE-2024-41956
- https://github.com/charmbracelet/soft-serve/commit/4daebdd422a6ba8c04162d023f8be355a8fe3184
- https://pkg.go.dev/vuln/GO-2024-3019
- https://github.com/advisories/GHSA-m445-w3xr-vp2f
Blast Radius: 0.0
Affected Packages
go:github.com/charmbracelet/soft-serve
Dependent packages: 3Dependent repositories: 1
Downloads:
Affected Version Ranges: < 0.7.5
Fixed in: 0.7.5
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4
All unaffected versions: 0.7.5, 0.7.6