Attacker Value
Very High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
High
Attack Vector
Network
1

CVE-2020-14144

Disclosure Date: October 16, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states “This is a functionality of the software that is limited to a very limited subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides.

Add Assessment

3
Ratings
Technical Analysis

If a Gitea user is allowed to create Git hooks, which is the default for administrators, code execution on the server through the web interface is possible. Note that this privilege can also be granted to a non-administrative user.

Git hooks are scripts that are executed before or after an event such as push, commit, etc. Allowing a user to create such scripts is potentially dangerous and should be avoided as much as possible.

A new Metasploit exploit module that leverages this insecure setting has been added recently. It enables an attacker to remotely execute arbitrary code if he has access to an account with permission to create Git hooks. For this, it simply creates a new repository, sets a post-receive Git hook containing the malicious code and adds a dummy file to the repository to trigger code execution.

It has been mitigated in version 1.13.0 by setting the Gitea DISABLE_GIT_HOOKS configuration to true by default. This completely disables the Git hook creation feature and prevents all users (including admin) from creating custom Git hooks. Administrators will need to think twice before changing it back to false, since it is a serious security risk.

CVSS V3 Severity and Metrics
Base Score:
7.2 High
Impact Score:
5.9
Exploitability Score:
1.2
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
High
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • gitea

Products

  • gitea
Technical Analysis