The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a very limited subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides.
Published 2020-10-16 14:15:11
Updated 2024-05-17 01:42:48
Source MITRE
View at NVD,   CVE.org
Vulnerability category: Execute code

Exploit prediction scoring system (EPSS) score for CVE-2020-14144

97.28%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2020-14144

  • Gitea Git Hooks Remote Code Execution
    Disclosure Date: 2020-10-07
    First seen: 2021-04-07
    exploit/multi/http/gitea_git_hooks_rce
    This module leverages an insecure setting to get remote code execution on the target OS in the context of the user running Gitea. This is possible when the current user is allowed to create `git hooks`, which is the default for administrative users. For

CVSS scores for CVE-2020-14144

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
6.5
MEDIUM AV:N/AC:L/Au:S/C:P/I:P/A:P
8.0
6.4
NIST
7.2
HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1.2
5.9
NIST

CWE ids for CVE-2020-14144

References for CVE-2020-14144

Products affected by CVE-2020-14144

  • Gitea » Gitea
    Versions from including (>=) 1.1.0 and up to, including, (<=) 1.12.5
    cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!