CVE-2020-28991

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Gitea versions 0.9.99 through 1.12.x before 1.12.6

Description The issue arises from the failure to prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in modules/auth/repo form.go. This allows for potential exploitation.

Recommendations For Gitea versions 0.9.99 through 1.12.x before 1.12.6, update to version 1.12.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the ParseRemoteAddr function in modules/auth/repo form.go until a patch is available.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

ALT-PU-2020-3490

ALT-PU-2020-3506

ALT-PU-2022-1257

BIT-GITEA-2020-28991

CVE-2020-28991

GHSA-R7H7-CHH4-5RVM

Affected Products

Alt Linux

Gitea

CVE-2020-28991

Weakness Enumeration

Related Identifiers

Affected Products

References · 9