CVE-2008-5517

git < 1.5.6 - Remote Code Execution via gitweb Shell Metacharacters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-5517. PoCs published by S2 Crew.

AI-analyzed exploit summary This exploit demonstrates a remote command execution vulnerability in GitWeb (CVE-2008-5517) by injecting shell commands via the `git_object` function. The PoC shows how arbitrary commands can be executed through manipulated input parameters in the URL.

Description

The web interface in git (gitweb) 1.5.x before 1.5.6 allows remote attackers to execute arbitrary commands via shell metacharacters related to (1) git_snapshot and (2) git_object.

Exploits (1)

exploitdb WORKING POC

by S2 Crew · textremotelinux

https://www.exploit-db.com/exploits/11497

View Code ZIP pw:eip

This exploit demonstrates a remote command execution vulnerability in GitWeb (CVE-2008-5517) by injecting shell commands via the `git_object` function. The PoC shows how arbitrary commands can be executed through manipulated input parameters in the URL.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: GitWeb (GIT 1.5.2)

No auth needed

Prerequisites: Access to a vulnerable GitWeb instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (17)

Core 17

Core References

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2009/dsa-1708

Issue Tracking x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=479715

Third Party Advisory vendor-advisory x_refsource_gentoo

http://www.gentoo.org/security/en/glsa/glsa-200903-15.xml

Third Party Advisory x_refsource_confirm

http://wiki.rpath.com/Advisories:rPSA-2009-0005

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/0175

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/34194

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/33964

Various Sources x_refsource_misc

http://repo.or.cz/w/git.git?a=commitdiff%3Bh=516381d5

Patch vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/33215

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2009-01/msg00002.html

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2009/01/23/2

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/500008/100/0/threaded

Issue Tracking x_refsource_confirm

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512330

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2009/01/20/1

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2009/01/21/7

Issue Tracking x_refsource_confirm

https://issues.rpath.com/browse/RPL-2936

Vendor Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-723-1

Scores

EPSS 0.1188

EPSS Percentile 95.6%

Details

CWE

CWE-94

Status published

Products (37)

git/git 1.5.0 (4 CPE variants)

git/git 1.5.0.1

git/git 1.5.0.2

git/git 1.5.0.3

git/git 1.5.0.4

git/git 1.5.0.5

git/git 1.5.0.6

git/git 1.5.0.7

git/git 1.5.1

git/git 1.5.1.1

... and 27 more

Published Jan 13, 2009

Tracked Since Feb 18, 2026