Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2020-14144 #2276

Closed
tatianab opened this issue Nov 8, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2020-14144 #2276

tatianab opened this issue Nov 8, 2023 · 1 comment
Labels
excluded: LEGACY_FALSE_POSITIVE (DO NOT USE) Vulnerability marked as false positive before we introduced the triage process

Comments

@tatianab
Copy link
Contributor

tatianab commented Nov 8, 2023

CVE-2020-14144 references github.com/go-gitea/gitea, which may be a Go module.

Description:
** DISPUTED ** The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a very limited subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides."

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/go-gitea/gitea
      vulnerable_at: 1.20.5
      packages:
        - package: n/a
cves:
    - CVE-2020-14144
references:
    - web: https://github.com/go-gitea/gitea/releases
    - web: https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1125-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/
    - fix: https://github.com/go-gitea/gitea/pull/13058
    - web: https://docs.gitlab.com/ee/administration/server_hooks.html
    - web: https://docs.github.com/en/enterprise-server@2.19/admin/policies/creating-a-pre-receive-hook-script
    - web: http://packetstormsecurity.com/files/162122/Gitea-Git-Hooks-Remote-Code-Execution.html
    - web: https://github.com/PandatiX/CVE-2021-28378
    - web: https://github.com/PandatiX/CVE-2021-28378#notes
@tatianab tatianab added the excluded: LEGACY_FALSE_POSITIVE (DO NOT USE) Vulnerability marked as false positive before we introduced the triage process label Nov 8, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports

This was referenced Apr 22, 2024
Closed
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Aug 6, 2024
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
excluded: LEGACY_FALSE_POSITIVE (DO NOT USE) Vulnerability marked as false positive before we introduced the triage process
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tatianab @gopherbot