Bash vulnerability (CVE-2014-6271)

John Keeping john at
Wed Sep 24 21:27:20 CEST 2014

In case anyone hasn't seen it yet, today's Bash vulnerability
(CVE-2014-6271) [0] may affect CGit servers.

I don't believe CGit in its default configuration will cause a shell to
be executed, but if you configure a filter then you may well be causing
a shell to be executed with the environment of the cgit process, which
will include user-specified variables such as the HTTP User-Agent

The example, and are vulnerable if /bin/sh on your system is a vulnerable
version of Bash.

I confirmed that I can echo arbitrary content from the User-Agent header
into the response on a CGit server I run which has custom filters


More information about the CGit mailing list