cbcvebase.
CVE-2020-14144
published 2020-10-16

CVE-2020-14144: The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not…

PriorityP271high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
93.69%
99.8th percentile
The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a very limited subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides.

Affected

2 ranges
VendorProductVersion rangeFixed in
code.gitea.iogitea>= 1.1.0 < 1.12.61.12.6
giteagitea1.1.0 – 1.12.5

Detection & IOCsextracted from sources · hover to see the quote

path/user/login
path/repo/create
path/{username}/{repo}/settings/hooks/git/post-receive
path/{username}/{repo}/settings/hooks/git/pre-receive
path/{username}/{repo}/settings/hooks/git/update
yara
shodan-query: html:"Powered by Gitea Version"
  • Detect exploitation attempts by monitoring POST requests to the git hook settings endpoints: /settings/hooks/git/post-receive, /settings/hooks/git/pre-receive, and /settings/hooks/git/update on Gitea instances running versions 1.1.0 through 1.12.5.
  • Monitor for the Gitea process spawning wget or curl to download XMRig or other binaries, followed by chmod 777 and execution — a pattern consistent with JINX-0132 post-exploitation via CVE-2020-14144.
  • Detect outbound connections to pool.supportxmr.com:443 from Gitea host processes, which indicates cryptomining activity following successful exploitation.
  • The exploit workflow involves: (1) login, (2) repo creation, (3) POST to /settings/hooks/git/post-receive with a shell payload in the 'content' field, (4) a dummy commit push to trigger the hook. Correlate these sequential HTTP events from the same session.
  • The JINX-0132 threat actor names malicious Nomad task groups 'NIGNOG' — this string in Nomad job definitions is a strong indicator of compromise associated with this campaign.
  • ·CVE-2020-14144 only applies to Gitea versions 1.1.0 through 1.12.5 where DISABLE_GIT_HOOKS defaults to false. Version 1.13.0+ changed the default to true, but the risk resurfaces if an admin manually re-enables hooks.
  • ·Exploitation requires the attacker to be authenticated with git hook creation privileges. For non-admin users, this permission must be explicitly granted by an administrator.
  • ·If INSTALL_LOCK=false, the installation wizard is accessible to anyone, allowing an attacker to reset admin credentials without needing existing credentials — bypassing the authentication prerequisite.
  • ·The Monero wallet address IOC is brittle — the attacker can trivially replace it in future campaign instances, so absence of this specific wallet address does not rule out JINX-0132 activity.
  • ·Gitea version 1.4.0 specifically is affected by an unauthenticated RCE via LFS object path traversal to forge an admin session — this is a separate, more severe attack path not requiring credentials.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.