Bug 750686 (CVE-2020-14144)

Summary:	<www-apps/gitea-1.12.6: Authenticated remote code execution via git hooks (CVE-2020-14144)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	nemunaire, proxy-maint
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/go-gitea/gitea/pull/13058
Whiteboard:	~2 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	754948

Description John Helmert III archtester

2020-10-22 00:32:51 UTC

The git hook feature in Gitea 1.1.0 through 1.12.5 allows for authenticated remote code execution. NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a very limited subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides."


Fix is set for 1.13 milestone.

Comment 1 Sam James archtester

2020-11-16 18:49:25 UTC

Ping.

Comment 2 Sam James archtester

2020-11-24 15:02:13 UTC

Fixed as per resolution in other bug.