CVE-2020-28991 – This vulnerability in Gitea allows attackers to... (How to Fix)

Q: What is the severity of CVE-2020-28991?

CVE-2020-28991 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Gitea allows attackers to inject malicious git protocol URLs containing newline characters and port specifications, potentially enabling remote code execution. It affects Gitea instances running versions 0.9.99 through 1.12.5. Organizations using vulnerable Gitea versions for source code management are at risk.

📋 TL;DR

This vulnerability in Gitea allows attackers to inject malicious git protocol URLs containing newline characters and port specifications, potentially enabling remote code execution. It affects Gitea instances running versions 0.9.99 through 1.12.5. Organizations using vulnerable Gitea versions for source code management are at risk.

💻 Affected Systems

Products:

Gitea

Versions: 0.9.99 through 1.12.5

Operating Systems: All platforms running Gitea

Default Config Vulnerable: ⚠️ Yes

Notes: All Gitea installations within the affected version range are vulnerable regardless of configuration.

📦 What is this software?

Gitea by Gitea

View all CVEs affecting Gitea →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Server compromise allowing attackers to access source code repositories, modify content, or deploy malicious code.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, potentially only affecting the Gitea service.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

The vulnerability requires crafting specific git protocol URLs but does not require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.12.6

Vendor Advisory: https://github.com/go-gitea/gitea/releases/tag/v1.12.6

Restart Required: Yes

Instructions:

1. Backup your Gitea data and configuration. 2. Stop the Gitea service. 3. Download and install Gitea 1.12.6 or later from https://github.com/go-gitea/gitea/releases. 4. Restart the Gitea service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable git protocol access

all

Temporarily disable git protocol access to prevent exploitation while patching.

Edit Gitea configuration file (app.ini) and set DISABLE_GIT_PROTOCOL = true under [git] section

🧯 If You Can't Patch

Implement strict network access controls to limit Gitea exposure
Monitor for suspicious git protocol requests and newline characters in URLs

🔍 How to Verify

Check if Vulnerable:

Check Gitea version via web interface or command line: gitea --version

Check Version:

gitea --version

Verify Fix Applied:

Confirm version is 1.12.6 or higher and test git protocol functionality

📡 Detection & Monitoring

Log Indicators:

Unusual git protocol requests
URLs containing %0A or %0D (URL-encoded newlines)
Failed authentication attempts with malformed URLs

Network Indicators:

Unusual traffic to git protocol ports
Requests with encoded newline characters

SIEM Query:

source="gitea.log" AND ("%0A" OR "%0D" OR "git://" AND "port")

📊 Metadata

CVE ID: CVE-2020-28991

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: November 24, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/go-gitea/gitea/pull/13525 Patch,Third Party Advisory
https://github.com/go-gitea/gitea/releases/tag/v1.12.6 Release Notes,Third Party Advisory
https://github.com/go-gitea/gitea/pull/13525 Patch,Third Party Advisory
https://github.com/go-gitea/gitea/releases/tag/v1.12.6 Release Notes,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON