x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2020-28991

[tatianab]

CVE-2020-28991 references github.com/go-gitea/gitea, which may be a Go module.

Description:
Gitea 0.9.99 through 1.12.x before 1.12.6 does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in modules/auth/repo_form.go.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-28991
• fix: Disallow urlencoded new lines in git protocol paths if there is a port (#13521) go-gitea/gitea#13525
• web: https://github.com/go-gitea/gitea/releases/tag/v1.12.6
• Imported by: https://pkg.go.dev/github.com/go-gitea/gitea?tab=importedby

Cross references:

• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2021-45325 #308 EFFECTIVELY_PRIVATE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2021-45326 #309 EFFECTIVELY_PRIVATE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2021-45327 #310 EFFECTIVELY_PRIVATE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2021-45329 #314 EFFECTIVELY_PRIVATE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2021-45331 #315 EFFECTIVELY_PRIVATE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2021-29134 #353 EFFECTIVELY_PRIVATE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2022-27313 #442 EFFECTIVELY_PRIVATE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2022-30781 #450 EFFECTIVELY_PRIVATE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: GHSA-36h2-95gj-w488 #579 EFFECTIVELY_PRIVATE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea/models: GHSA-f5fj-7265-jxhj #823 NOT_IMPORTABLE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: GHSA-g2qx-6ghw-67hm #830 NOT_IMPORTABLE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea/models: GHSA-hpmr-prr2-cqc4 #846 NOT_IMPORTABLE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea/models: GHSA-q47x-6mqq-4w92 #862 NOT_IMPORTABLE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2022-42968 #1065 EFFECTIVELY_PRIVATE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2022-38795 #1999 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/go-gitea/gitea
      vulnerable_at: 1.20.5
      packages:
        - package: n/a
cves:
    - CVE-2020-28991
references:
    - fix: https://github.com/go-gitea/gitea/pull/13525
    - web: https://github.com/go-gitea/gitea/releases/tag/v1.12.6

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports