cbcvebase.
CVE-2019-11229
published 2019-04-15

CVE-2019-11229: models/repo_mirror.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings, leading to remote code execution.

PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
55.58%
98.9th percentile
models/repo_mirror.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings, leading to remote code execution.

Affected

3 ranges
VendorProductVersion rangeFixed in
giteagitea< 1.7.61.7.6
giteagitea
github.comgo-gitea_gitea>= 0 < 1.7.61.7.6

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://192.168.1.2:3000/user/login
url/repo/migrate
url/<USERNAME>/<REPO_NAME>/settings
cookie_csrf
otherssh://example.com/x/x"""\r\n[core]\r\nsshCommand="<CMD>"\r\na="""
  • Monitor POST requests to /repo/migrate with a 'mirror=on' parameter and a 'clone_addr' pointing to an attacker-controlled server — this is the initial mirror repository creation step of the exploit.
  • Detect POST requests to /<user>/<repo>/settings where the 'mirror_address' parameter contains CRLF sequences (\r\n) and git config injection patterns such as '[core]' and 'sshCommand=' — this is the config injection payload.
  • Detect POST requests to /<user>/<repo>/settings with 'action=mirror-sync' immediately following a settings update — this is the trigger step that executes the injected sshCommand.
  • Flag creation of executable files dropped to /tmp (e.g., /tmp/shell) by the Gitea service account, consistent with the exploit's payload delivery pattern.
  • ·The vulnerable code path is in models/repo_mirror.go; the flaw allows injecting arbitrary git config directives (including sshCommand) via the mirror_address field by embedding CRLF sequences.
  • ·Affected versions are Gitea < 1.7.6 and 1.8.x < 1.8-RC3; instances running these versions with mirror functionality enabled and user registration open are at highest risk.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.