07.10.2020

FSA-2020-3 Authenticated Remote Code Execution in Gitea 1.12.6 and Gogs 0.12.2

Research scientists of the Competence Center for IT Security found a vulnerability in the software projects Gitea and Gogs.

A vulnerability in the software projects Gitea and Gogs, which are used for self-hosted git servers, allows an attacker with access to an administrative account or an account with special privileges to execute arbitrary code on the server. The vulnerabilities have been assigned CVE-2020-14144 und CVE-2020-15867. Deactivating the git hook feature in Gitea resolves the issue. A similar functionality will be added to Gogs in version 0.13.

The full report is available for download.

Downloads