Skip to content

soft-serve vulnerable to arbitrary code execution by crafting git-lfs requests

High severity GitHub Reviewed Published Aug 1, 2024 in charmbracelet/soft-serve • Updated Aug 7, 2024

Package

gomod github.com/charmbracelet/soft-serve (Go)

Affected versions

< 0.7.5

Patched versions

0.7.5

Description

Impact

Any servers using soft-serve server and git

Patches

0.7.5

Workarounds

None.

References

n/a.

It is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git.

The issue is that Soft Serve passes all environment variables given by the client to git subprocesses. This includes environment variables that control program execution, such as LD_PRELOAD.

This can be exploited to execute arbitrary code by, for example, uploading a malicious shared object file to Soft Serve via Git LFS (uploading it via LFS ensures that it is not compressed on disk and easier to work with). The file will be stored under its SHA256 hash, so it has a predictable name.

This file can then be referenced in LD_PRELOAD via a Soft Serve SSH session that causes git to be invoked. For example:

LD_PRELOAD=/.../data/lfs/1/objects/a2/b5/a2b585befededf5f95363d06d83655229e393b1b45f76d9f989a336668665a2f ssh server git-upload-pack repo

The example LFS file patches a shared library function called by git to execute a shell.

References

@caarlos0 caarlos0 published to charmbracelet/soft-serve Aug 1, 2024
Published by the National Vulnerability Database Aug 1, 2024
Published to the GitHub Advisory Database Aug 2, 2024
Reviewed Aug 2, 2024
Last updated Aug 7, 2024

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS score

0.043%
(10th percentile)

Weaknesses

CVE ID

CVE-2024-41956

GHSA ID

GHSA-m445-w3xr-vp2f

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.