Unrated severityNVD Advisory· Published Oct 4, 2011· Updated Apr 29, 2026
CVE-2011-1572
CVE-2011-1572
Description
Directory traversal vulnerability in the Admin Defined Commands (ADC) feature in gitolite before 1.5.9.1 allows remote attackers to execute arbitrary commands via .. (dot dot) sequences in admin-defined commands.
Affected products
27cpe:2.3:a:gitolite:gitolite:*:*:*:*:*:*:*:*+ 26 more
- cpe:2.3:a:gitolite:gitolite:*:*:*:*:*:*:*:*range: <=1.5.9
- cpe:2.3:a:gitolite:gitolite:0.50:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:0.55:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:0.60:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:0.65:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:0.70:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:0.80:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:0.85:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:0.90:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:0.95:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:1.3:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:1.4:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:1.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:1.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:1.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:1.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:1.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:1.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:1.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:gitolite:gitolite:1.5.8:*:*:*:*:*:*:*
Patches
14ce00aef84d1security fix for optional ADC (admin-defined command) feature
1 file changed · +1 −0
src/gl-auth-command+1 −0 modified@@ -154,6 +154,7 @@ die "server is in slave mode; you can only fetch\n" if ($GL_ADC_PATH and -d $GL_ADC_PATH) { my ($cmd, @args) = split ' ', $ENV{SSH_ORIGINAL_COMMAND}; if (-x "$GL_ADC_PATH/$cmd") { + die "I don't like $cmd\n" if $cmd =~ /\.\./; # yes this is rather strict, sorry. do { die "I don't like $_\n" unless $_ =~ $ADC_CMD_ARGS_PATT } for ($cmd, @args); &log_it("$GL_ADC_PATH/$ENV{SSH_ORIGINAL_COMMAND}");
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- seclists.org/oss-sec/2011/q2/197nvdPatch
- seclists.org/oss-sec/2011/q2/209nvdPatch
- www.securityfocus.com/bid/46473nvdPatch
- bugzilla.redhat.com/show_bug.cginvdPatch
- github.com/sitaramc/gitolite/commit/4ce00aef84d1ff7c35f7adbbb99a6241cfda00ccnvdPatch
- groups.google.com/group/gitolite/browse_thread/thread/797a93ec26e1dcbcnvd
- www.debian.org/security/2011/dsa-2215nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/65542nvd
News mentions
0No linked articles in our index yet.