CVE-2018-18926 — Session Fixation in Gitea

CWE-384 — Session Fixation CWE-94 — Code Injection5 documents3 sources

Severity

9.8CRITICALNVD

EPSS

1.3%

top 20.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Code.gitea.io Gitea Gitea

Timeline

PublishedNov 4

Latest updateAug 21

Description

Gitea before 1.5.4 allows remote code execution because it does not properly validate session IDs. This is related to session ID handling in the go-macaron/session code for Macaron.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶Gocode.gitea.io/gitea< 1.5.2

▶NVDgitea/gitea< 1.5.4

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Gitea Remote Code Execution (RCE) in code.gitea.io/gitea↗2024-08-21

▶

OSV

Gitea Remote Code Execution (RCE)↗2022-02-15

▶

GHSA

Gitea Remote Code Execution (RCE)↗2022-02-15

▶

OSV

CVE-2018-18926: Gitea before 1↗2018-11-04

▶