CVE-2020-14144

16.10.2020, 14:15

The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a very limited subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides.

OS Command Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.2 HIGH	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Vendor	Product	Version
gitea	gitea	1.1.0 ≤ 𝑥 ≤ 1.12.5

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References

http://packetstormsecurity.com/files/162122/Gitea-Git-Hooks-Remote-Code-Execution.html

https://docs.github.com/en/enterprise-server%402.19/admin/policies/creating-a-pre-receive-hook-script

https://docs.gitlab.com/ee/administration/server_hooks.html

https://github.com/PandatiX/CVE-2021-28378

https://github.com/PandatiX/CVE-2021-28378#notes

https://github.com/go-gitea/gitea/pull/13058

https://github.com/go-gitea/gitea/releases

https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1125-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/

http://packetstormsecurity.com/files/162122/Gitea-Git-Hooks-Remote-Code-Execution.html

https://docs.github.com/en/enterprise-server%402.19/admin/policies/creating-a-pre-receive-hook-script

https://docs.gitlab.com/ee/administration/server_hooks.html

https://github.com/PandatiX/CVE-2021-28378

https://github.com/PandatiX/CVE-2021-28378#notes

https://github.com/go-gitea/gitea/pull/13058

https://github.com/go-gitea/gitea/releases

https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1125-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/