CVE-2020-14144 — HIGH (7.2)

Q: How severe is CVE-2020-14144?

CVE-2020-14144 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-14144?

Check the references section above for vendor advisories and patch information. Affected products include: Gitea Gitea.

Vulnerability Description

The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a very limited subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides.

CVSS Score

7.2

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Gitea	Gitea	>= 1.1.0, <= 1.12.5

Related Weaknesses (CWE)

CWE-78

References

http://packetstormsecurity.com/files/162122/Gitea-Git-Hooks-Remote-Code-ExecutioExploitThird Party AdvisoryVDB Entry
https://docs.github.com/en/enterprise-server%402.19/admin/policies/creating-a-pr
https://docs.gitlab.com/ee/administration/server_hooks.htmlThird Party Advisory
https://github.com/PandatiX/CVE-2021-28378ExploitThird Party Advisory
https://github.com/PandatiX/CVE-2021-28378#notesExploitThird Party Advisory
https://github.com/go-gitea/gitea/pull/13058Third Party Advisory
https://github.com/go-gitea/gitea/releasesRelease NotesThird Party Advisory
https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-giThird Party Advisory
http://packetstormsecurity.com/files/162122/Gitea-Git-Hooks-Remote-Code-ExecutioExploitThird Party AdvisoryVDB Entry
https://docs.github.com/en/enterprise-server%402.19/admin/policies/creating-a-pr
https://docs.gitlab.com/ee/administration/server_hooks.htmlThird Party Advisory
https://github.com/PandatiX/CVE-2021-28378ExploitThird Party Advisory
https://github.com/PandatiX/CVE-2021-28378#notesExploitThird Party Advisory
https://github.com/go-gitea/gitea/pull/13058Third Party Advisory
https://github.com/go-gitea/gitea/releasesRelease NotesThird Party Advisory

FAQ

What is CVE-2020-14144?

CVE-2020-14144 is a vulnerability with a CVSS score of 7.2 (HIGH). The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not understood (e.g., one viewpoint is that ...

How severe is CVE-2020-14144?

CVE-2020-14144 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-14144?

Check the references section above for vendor advisories and patch information. Affected products include: Gitea Gitea.