CVE-2021-45331
published 2022-02-09CVE-2021-45331: An Authentication Bypass vulnerability exists in Gitea before 1.5.0, which could let a malicious user gain privileges. If captured, the TOTP code for the 2FA…
PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.30%
66.8th percentile
An Authentication Bypass vulnerability exists in Gitea before 1.5.0, which could let a malicious user gain privileges. If captured, the TOTP code for the 2FA can be submitted correctly more than once.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.gitea.io | gitea | >= 0 < 1.5.0 | 1.5.0 |
| gitea | gitea | < 1.5.0 | 1.5.0 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Reuse of one time passwords allowed in Gitea in code.gitea.io/gitea
osv·2024-08-21
CVE-2021-45331 Reuse of one time passwords allowed in Gitea in code.gitea.io/gitea
Reuse of one time passwords allowed in Gitea in code.gitea.io/gitea
Reuse of one time passwords allowed in Gitea in code.gitea.io/gitea
GHSA
Reuse of one time passwords allowed in Gitea
ghsa·2022-02-10
CVE-2021-45331 [CRITICAL] CWE-287 Reuse of one time passwords allowed in Gitea
Reuse of one time passwords allowed in Gitea
An Authentication Bypass vulnerability exists in Gitea before 1.5.0, which could let a malicious user gain privileges. If captured, the TOTP code for the 2FA can be submitted correctly more than once.
OSV
Reuse of one time passwords allowed in Gitea
osv·2022-02-10
CVE-2021-45331 [CRITICAL] Reuse of one time passwords allowed in Gitea
Reuse of one time passwords allowed in Gitea
An Authentication Bypass vulnerability exists in Gitea before 1.5.0, which could let a malicious user gain privileges. If captured, the TOTP code for the 2FA can be submitted correctly more than once.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-02-09
Published