PT-2020-13891 · Gitea+1 · Gitea+1
Niklas974
·
Published
2020-10-16
·
Updated
2026-02-28
·
CVE-2020-14144
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Gitea versions 1.1.0 through 1.12.5
Description
The git hook feature in Gitea might allow for authenticated remote code execution in customer environments where the documentation was not understood. The vendor has indicated this is not a vulnerability, stating it is a functionality of the software limited to a very limited subset of accounts, and that clear warnings are provided to users around this functionality.
Recommendations
For Gitea versions 1.1.0 through 1.12.5, consider disabling the git hook feature to minimize the risk of exploitation, as it may allow for authenticated remote code execution. Ensure that the documentation regarding the git hook feature is thoroughly understood, and warnings around its functionality are clearly acknowledged. At the moment, there is no information about a newer version that contains a fix for this issue.
Exploit
Fix
RCE
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Gitea