CVE-2024-47516

CVE-2024-47516 is a critical vulnerability in Pagure, a lightweight Git forge and web-based Git repository manager. It stems from an argument injection flaw (CWE-88) in the Git command used during retrieval of repository history, enabling remote code execution on the Pagure instance. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and lack of prerequisites for exploitation.

Any unauthenticated remote attacker can exploit this vulnerability by triggering the faulty repository history retrieval process, such as through a crafted request to Pagure's API or web interface. Successful exploitation grants arbitrary code execution on the server hosting the Pagure instance, potentially allowing full compromise including data theft, persistence, or lateral movement within the environment.

Red Hat advisories provide details on this vulnerability, including patches and mitigation guidance, accessible at https://access.redhat.com/security/cve/CVE-2024-47516 and https://bugzilla.redhat.com/show_bug.cgi?id=2315805. Security practitioners should review these for version-specific fixes and workarounds.