CVE-2019-11229
published 2019-04-15CVE-2019-11229: models/repo_mirror.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings, leading to remote code execution.
PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
55.58%
98.9th percentile
models/repo_mirror.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings, leading to remote code execution.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gitea | gitea | < 1.7.6 | 1.7.6 |
| gitea | gitea | — | — |
| github.com | go-gitea_gitea | >= 0 < 1.7.6 | 1.7.6 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /repo/migrate with a 'mirror=on' parameter and a 'clone_addr' pointing to an attacker-controlled server — this is the initial mirror repository creation step of the exploit. ↗
- →Detect POST requests to /<user>/<repo>/settings where the 'mirror_address' parameter contains CRLF sequences (\r\n) and git config injection patterns such as '[core]' and 'sshCommand=' — this is the config injection payload. ↗
- →Detect POST requests to /<user>/<repo>/settings with 'action=mirror-sync' immediately following a settings update — this is the trigger step that executes the injected sshCommand. ↗
- →Flag creation of executable files dropped to /tmp (e.g., /tmp/shell) by the Gitea service account, consistent with the exploit's payload delivery pattern. ↗
- ·The vulnerable code path is in models/repo_mirror.go; the flaw allows injecting arbitrary git config directives (including sshCommand) via the mirror_address field by embedding CRLF sequences. ↗
- ·Affected versions are Gitea < 1.7.6 and 1.8.x < 1.8-RC3; instances running these versions with mirror functionality enabled and user registration open are at highest risk. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Gitea Remote Code Execution in github.com/go-gitea/gitea
osv·2024-08-21
CVE-2019-11229 Gitea Remote Code Execution in github.com/go-gitea/gitea
Gitea Remote Code Execution in github.com/go-gitea/gitea
Gitea Remote Code Execution in github.com/go-gitea/gitea
OSV
Gitea Remote Code Execution
osv·2022-02-15
CVE-2019-11229 [HIGH] Gitea Remote Code Execution
Gitea Remote Code Execution
models/repo_mirror.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings, leading to remote code execution.
GHSA
Gitea Remote Code Execution
ghsa·2022-02-15
CVE-2019-11229 [HIGH] CWE-94 Gitea Remote Code Execution
Gitea Remote Code Execution
models/repo_mirror.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings, leading to remote code execution.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/160833/Gitea-1.7.5-Remote-Code-Execution.htmlhttps://github.com/go-gitea/gitea/releases/tag/v1.7.6https://github.com/go-gitea/gitea/releases/tag/v1.8.0-rc3http://packetstormsecurity.com/files/160833/Gitea-1.7.5-Remote-Code-Execution.htmlhttps://github.com/go-gitea/gitea/releases/tag/v1.7.6https://github.com/go-gitea/gitea/releases/tag/v1.8.0-rc3
2019-04-15
Published