Veracode Vulnerability DatabaseVERACODE:27618Remote Code Execution (RCE)
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
github.com/go-gitea/gitea is vulnerable to remote code execution (RCE). The vulnerability exists through git hooks which are enabled by default.
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/go-gitea/gitea | le | v1.13.0-dev | |
| github.com/go-gitea/gitea | le | v1.13.0-dev |
References
packetstormsecurity.com/files/162122/Gitea-Git-Hooks-Remote-Code-Execution.html
docs.github.com/en/[email protected]/admin/policies/creating-a-pre-receive-hook-script
docs.gitlab.com/ee/administration/server_hooks.html
github.com/go-gitea/gitea/commit/e00e8d8ad391ded1316d9dade4d2542199141be6
github.com/go-gitea/gitea/pull/13058
github.com/go-gitea/gitea/releases
github.com/PandatiX/CVE-2021-28378
github.com/PandatiX/CVE-2021-28378#notes
www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1125-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/
Related
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P