Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 750686 (CVE-2020-14144) - <www-apps/gitea-1.12.6: Authenticated remote code execution via git hooks (CVE-2020-14144)
Summary: <www-apps/gitea-1.12.6: Authenticated remote code execution via git hooks (CV...
Status: RESOLVED FIXED
Alias: CVE-2020-14144
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/go-gitea/gitea/pul...
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks: 754948
  Show dependency tree
 
Reported: 2020-10-22 00:32 UTC by John Helmert III
Modified: 2020-11-24 15:02 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-22 00:32:51 UTC
The git hook feature in Gitea 1.1.0 through 1.12.5 allows for authenticated remote code execution. NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a very limited subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides."


Fix is set for 1.13 milestone.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-16 18:49:25 UTC
Ping.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-24 15:02:13 UTC
Fixed as per resolution in other bug.