Lucene search

GoogleOSV:GHSA-3H6C-C475-JM7V

HistoryApr 22, 2024 - 7:07 p.m.

Arbitrary Code Execution in Gitea

2024-04-2219:07:03

Google

osv.dev

gitea

git hook

remote code execution

security vulnerability

software

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.4 High

AI Score

Confidence

Low

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.973 High

EPSS

Percentile

99.9%

JSON

The git hook feature in Gitea 1.1.0 through 1.12.5 allows for authenticated remote code execution.

CPENameOperatorVersion
code.gitea.io/gitealt1.12.6
code.gitea.io/giteage1.1.0

CPE	Name	Operator	Version
	code.gitea.io/gitea	lt	1.12.6
	code.gitea.io/gitea	ge	1.1.0

References

packetstormsecurity.com/files/162122/Gitea-Git-Hooks-Remote-Code-Execution.html

docs.github.com/en/enterprise-server%402.19/admin/policies/creating-a-pre-receive-hook-script

docs.github.com/en/[email protected]/admin/policies/creating-a-pre-receive-hook-script

docs.gitlab.com/ee/administration/server_hooks.html

github.com/go-gitea/gitea

github.com/go-gitea/gitea/commit/8fe8ab5cbf2977f3a01ea12361df2cd76dce3ea9

github.com/go-gitea/gitea/pull/13058

github.com/go-gitea/gitea/releases

github.com/PandatiX/CVE-2021-28378

github.com/PandatiX/CVE-2021-28378#notes

nvd.nist.gov/vuln/detail/CVE-2020-14144

podalirius.net/articles/exploiting-cve-2020-14144-gitea-authenticated-remote-code-execution

www.exploit-db.com/exploits/49571

www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1125-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.4 High

AI Score

Confidence

Low

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.973 High

EPSS

Percentile

99.9%

JSON

Related for OSV:GHSA-3H6C-C475-JM7V