CVE-2020-14144
published 2020-10-16CVE-2020-14144: The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not…
PriorityP271high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
93.69%
99.8th percentile
The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a very limited subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.gitea.io | gitea | >= 1.1.0 < 1.12.6 | 1.12.6 |
| gitea | gitea | 1.1.0 – 1.12.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
shodan-query: html:"Powered by Gitea Version"
- →Detect exploitation attempts by monitoring POST requests to the git hook settings endpoints: /settings/hooks/git/post-receive, /settings/hooks/git/pre-receive, and /settings/hooks/git/update on Gitea instances running versions 1.1.0 through 1.12.5. ↗
- →Monitor for the Gitea process spawning wget or curl to download XMRig or other binaries, followed by chmod 777 and execution — a pattern consistent with JINX-0132 post-exploitation via CVE-2020-14144. ↗
- →Detect outbound connections to pool.supportxmr.com:443 from Gitea host processes, which indicates cryptomining activity following successful exploitation. ↗
- →The exploit workflow involves: (1) login, (2) repo creation, (3) POST to /settings/hooks/git/post-receive with a shell payload in the 'content' field, (4) a dummy commit push to trigger the hook. Correlate these sequential HTTP events from the same session. ↗
- →The JINX-0132 threat actor names malicious Nomad task groups 'NIGNOG' — this string in Nomad job definitions is a strong indicator of compromise associated with this campaign. ↗
- ·CVE-2020-14144 only applies to Gitea versions 1.1.0 through 1.12.5 where DISABLE_GIT_HOOKS defaults to false. Version 1.13.0+ changed the default to true, but the risk resurfaces if an admin manually re-enables hooks. ↗
- ·Exploitation requires the attacker to be authenticated with git hook creation privileges. For non-admin users, this permission must be explicitly granted by an administrator. ↗
- ·If INSTALL_LOCK=false, the installation wizard is accessible to anyone, allowing an attacker to reset admin credentials without needing existing credentials — bypassing the authentication prerequisite. ↗
- ·The Monero wallet address IOC is brittle — the attacker can trivially replace it in future campaign instances, so absence of this specific wallet address does not rule out JINX-0132 activity. ↗
- ·Gitea version 1.4.0 specifically is affected by an unauthenticated RCE via LFS object path traversal to forge an admin session — this is a separate, more severe attack path not requiring credentials. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Arbitrary Code Execution in Gitea
ghsa·2024-04-22
CVE-2020-14144 [HIGH] CWE-78 Arbitrary Code Execution in Gitea
Arbitrary Code Execution in Gitea
The git hook feature in Gitea 1.1.0 through 1.12.5 allows for authenticated remote code execution.
OSV
Arbitrary Code Execution in Gitea
osv·2024-04-22
CVE-2020-14144 [HIGH] Arbitrary Code Execution in Gitea
Arbitrary Code Execution in Gitea
The git hook feature in Gitea 1.1.0 through 1.12.5 allows for authenticated remote code execution.
No detection rules found.
Exploit-DB
Gitea 1.12.5 - Remote Code Execution (Authenticated)
exploitdb·2021-02-18
CVE-2020-14144 Gitea 1.12.5 - Remote Code Execution (Authenticated)
Gitea 1.12.5 - Remote Code Execution (Authenticated)
---
# Exploit Title: Gitea 1.12.5 - Remote Code Execution (Authenticated)
# Date: 17 Feb 2020
# Exploit Author: Podalirius
# PoC demonstration article: https://podalirius.net/en/articles/exploiting-cve-2020-14144-gitea-authenticated-remote-code-execution/
# Vendor Homepage: https://gitea.io/
# Software Link: https://dl.gitea.io/
# Version: >= 1.1.0 to ] login('%s', ...)" % username)
self.session = requests.Session()
r = self.session.get('%s/user/login' % self.host)
self.username = username
self.password = password
# Logging in
csrf = self._get_csrf(self.host)
r = self.session.post(
'%s/user/login?redirect_to=%%2f%s' % (self.host, self.username),
data = {'_csrf':csrf, 'user_name':username, 'password':password},
allow_redirects=True
)
i
Nuclei
Gitea 1.1.0 - 1.12.5 - Remote Code Execution
nuclei·CVSS 7.2
CVE-2020-14144 [HIGH] Gitea 1.1.0 - 1.12.5 - Remote Code Execution
Gitea 1.1.0 - 1.12.5 - Remote Code Execution
Gitea 1.1.0 through 1.12.5 is susceptible to authenticated remote code execution, via the git hook functionality, in customer environments where the documentation is not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides."
Template:
id: CVE-2020-14144
info:
name: Gitea 1.1.0 - 1
Metasploit
Gitea Git Hooks Remote Code Execution
metasploit
Gitea Git Hooks Remote Code Execution
Gitea Git Hooks Remote Code Execution
This module leverages an insecure setting to get remote code execution on the target OS in the context of the user running Gitea. This is possible when the current user is allowed to create `git hooks`, which is the default for administrative users. For non-administrative users, the permission needs to be specifically granted by an administrator. To achieve code execution, the module authenticates to the Gitea web interface, creates a temporary repository, sets a `post-receive` git hook with the payload and creates a dummy file in the repository. This last action will trigger the git hook and execute the payload. Everything is done through the web interface. It has been mitigated in version 1.13.0 by setting the Gitea `DISABLE_GIT_HOOKS` configuration
Wiz
Crying Out Cloud Newsletter - July 2025 | Wiz
blogs_wiz·2025-07-01·CVSS 7.2
[HIGH] Crying Out Cloud Newsletter - July 2025 | Wiz
Cloud security is constantly evolving, and the Wiz Research team is dedicated to keeping you informed. The past month has seen significant vulnerabilities discovered, and there have been a few security incidents affecting cloud users.
We've compiled a shortlist of the most relevant developments. Here are our top picks!
## 🔍 Highlights
## Cryptojacking Campaign Targets Misconfigured DevOps Tools
Wiz Threat Research identified a cryptojacking campaign, attributed to the threat actor JINX-0132, actively exploiting misconfigured and publicly exposed DevOps tools—including HashiCorp Nomad, HashiCorp Consul, Docker, and Gitea—to deploy XMRig-based Monero miners.
JINX-0132 targets exposed Nomad servers lacking ACL protections by submitting malicious jobs through the API, effectively gaining
Wiz
DevOps Tools Targeted for Cryptojacking | Wiz Blog
blogs_wiz·2025-06-02
DevOps Tools Targeted for Cryptojacking | Wiz Blog
## Intro
Wiz Threat Research has identified a broad cryptojacking campaign targeting publicly accessible DevOps web servers including exposed Nomad, Consul, Docker and Gitea applications. In the course of investigating this campaign, we observed attackers exploiting a range of known misconfigurations and vulnerabilities across various technologies to deploy their mining software.
Notably, this campaign marks what we believe to be the first publicly documented instance of Nomad misconfigurations being exploited as an attack vector in the wild. We have designated the threat actor responsible for these activities as JINX-0132.
Misconfiguration abuse by threat actors can often go under defenders’ radar, especially if the affected application isn’t well known as an attack vector. This was al
http://packetstormsecurity.com/files/162122/Gitea-Git-Hooks-Remote-Code-Execution.htmlhttps://docs.github.com/en/enterprise-server%402.19/admin/policies/creating-a-pre-receive-hook-scripthttps://docs.gitlab.com/ee/administration/server_hooks.htmlhttps://github.com/PandatiX/CVE-2021-28378https://github.com/PandatiX/CVE-2021-28378#noteshttps://github.com/go-gitea/gitea/pull/13058https://github.com/go-gitea/gitea/releaseshttps://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1125-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/http://packetstormsecurity.com/files/162122/Gitea-Git-Hooks-Remote-Code-Execution.htmlhttps://docs.github.com/en/enterprise-server%402.19/admin/policies/creating-a-pre-receive-hook-scripthttps://docs.gitlab.com/ee/administration/server_hooks.htmlhttps://github.com/PandatiX/CVE-2021-28378https://github.com/PandatiX/CVE-2021-28378#noteshttps://github.com/go-gitea/gitea/pull/13058https://github.com/go-gitea/gitea/releaseshttps://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1125-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/
2020-10-16
Published