CVE-2018-14912

Name: CVE-2018-14912
Creator: NVD / NIST
Published: 2018-08-03T19:29:00.793+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 93.19%

Last modified Jun 17, 2026

CVE-2018-14912 is a vulnerability of currently unknown severity. cgit_clone_objects in CGit before 1.2.1 has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.. EPSS estimates a 93.19% chance of exploitation in the next 30 days.

Description

cgit_clone_objects in CGit before 1.2.1 has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.

Metrics

EPSS Probability

93.19%

99.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-22

Affected Software

Vendor	Product	Versions
Cgit Project	Cgit	< 1.2.1
Debian	Debian Linux	8.0
Debian	Debian Linux	9.0

References

https://bugs.chromium.org/p/project-zero/issues/detail?id=1627Exploit, Issue Tracking, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/08/msg00005.htmlThird Party Advisory
https://lists.zx2c4.com/pipermail/cgit/2018-August/004176.htmlVendor Advisory
https://www.debian.org/security/2018/dsa-4263Third Party Advisory
https://www.exploit-db.com/exploits/45195/Exploit, Third Party Advisory, VDB Entry
https://bugs.chromium.org/p/project-zero/issues/detail?id=1627Exploit, Issue Tracking, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/08/msg00005.htmlThird Party Advisory
https://lists.zx2c4.com/pipermail/cgit/2018-August/004176.htmlVendor Advisory
https://www.debian.org/security/2018/dsa-4263Third Party Advisory
https://www.exploit-db.com/exploits/45195/Exploit, Third Party Advisory, VDB Entry

Timeline

Published: Aug 3, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-14912?

cgit_clone_objects in CGit before 1.2.1 has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.

How severe is CVE-2018-14912?

Severity scoring for CVE-2018-14912 is pending analysis. The EPSS model estimates a 93.19% probability of exploitation in the next 30 days.

How do I fix CVE-2018-14912?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-14912?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST