Published: 16/10/2020 Updated: 14/05/2024

CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8

CVSS v3 Base Score: 7.2 | Impact Score: 5.9 | Exploitability Score: 1.2

VMScore: 580

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

The git hook feature in Gitea 1.1.0 up to and including 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a very limited subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides.

Vulnerable Product	Search on Vulmon	Subscribe to Product
gitea gitea

Gitea version 1125 suffers from a remote code execution vulnerability ...

This Metasploit module leverages an insecure setting to get remote code execution on the target OS in the context of the user running Gogs This is possible when the current user is allowed to create git hooks, which is the default for administrative users For non-administrative users, the permission needs to be specifically granted by an administ ...

This Metasploit module leverages an insecure setting to get remote code execution on the target OS in the context of the user running Gitea This is possible when the current user is allowed to create git hooks, which is the default for administrative users For non-administrative users, the permission needs to be specifically granted by an adminis ...

A script to exploit CVE-2020-14144 - GiTea authenticated Remote Code Execution using git hooks

CVE-2020-14144 - GiTea authenticated RCE A script to exploit CVE-2020-14144 - GiTea authenticated Remote Code Execution using git hooks Features Automatic reverse shell payload generation from IP and PORT Upload custom shell script and execute it remotely with option -f Automatic login with username and password Usage $ /CVE-2020-14144-GiTea-git-hooks-r

Tool to automate code execution on the server running Gogs git service.

Gogs Remote Code Execution Tool to automate code execution on the server running Gogs git service Inspired from: githubcom/p0dalirius/CVE-2020-14144-GiTea-git-hooks-rce POC Linux Dependencies This script automates the execution of git commands using Linux tools: git and expect sudo apt install git sudo apt install expect How t

Tool to automate code execution on the server running Gogs git service.

Gogs Remote Code Execution Tool to automate code execution on the server running Gogs git service Inspired from: githubcom/p0dalirius/CVE-2020-14144-GiTea-git-hooks-rce POC Linux Dependencies This script automates the execution of git commands using Linux tools: git and expect sudo apt install git sudo apt install expect How t

CWE-78 https://github.com/go-gitea/gitea/pull/13058 https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1125-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/https://github.com/go-gitea/gitea/releases https://docs.gitlab.com/ee/administration/server_hooks.html http://packetstormsecurity.com/files/162122/Gitea-Git-Hooks-Remote-Code-Execution.html https://github.com/PandatiX/CVE-2021-28378 https://github.com/PandatiX/CVE-2021-28378#notes https://docs.github.com/en/enterprise-server%402.19/admin/policies/creating-a-pre-receive-hook-script https://nvd.nist.gov https://github.com/p0dalirius/CVE-2020-14144-GiTea-git-hooks-rce https://packetstormsecurity.com/files/161451/Gitea-1.12.5-Remote-Code-Execution.html

CVE-2020-14144

Vulnerability Summary

Vulnerability Trend

Exploits

Github Repositories

References

Vulmon Search

About

Products

Connect