Vulnerability roundup 95: gitea-1.12.5: 1 advisory [7.2] #101156

ckauhaus · 2020-10-20T12:35:55Z

CVE-2020-14144 CVSSv3=7.2 (nixos-20.09, nixos-unstable)

Scanned versions: nixos-20.09: ba2ec48; nixos-unstable: 8133b9c.

The text was updated successfully, but these errors were encountered:

kolaente · 2020-10-20T19:19:38Z

We discussed this within the Gitea maintainers chat and think this is not a cve. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. That's like saying admin accounts on wordpress can do RCE because they can install plugins from third parties.
We never pretended to sandbox git hooks.

You can see in the PR which "fixed" that issue it only changed the default settings to mitigate the "issue" but not really fixed the problem: go-gitea/gitea#13058

ckauhaus · 2020-11-04T11:14:40Z

disputed

ckauhaus added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Oct 20, 2020

kolaente mentioned this issue Oct 20, 2020

Vulnerability roundup 95: gitea-1.11.8: 1 advisory [7.2] #101155

Closed

1 task

ckauhaus closed this as completed Nov 4, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Vulnerability roundup 95: gitea-1.12.5: 1 advisory [7.2] #101156

Vulnerability roundup 95: gitea-1.12.5: 1 advisory [7.2] #101156

ckauhaus commented Oct 20, 2020

kolaente commented Oct 20, 2020

ckauhaus commented Nov 4, 2020

Vulnerability roundup 95: gitea-1.12.5: 1 advisory [7.2] #101156

Vulnerability roundup 95: gitea-1.12.5: 1 advisory [7.2] #101156

Comments

ckauhaus commented Oct 20, 2020

kolaente commented Oct 20, 2020

ckauhaus commented Nov 4, 2020