CVE-2021-3382 – A stack buffer overflow vulnerability in Gitea ... (How to Fix)

Q: What is the severity of CVE-2021-3382?

CVE-2021-3382 has a CVSS score of 7.5 (HIGH). A stack buffer overflow vulnerability in Gitea versions 1.9.0 through 1.13.1 allows remote attackers to crash the service via specially crafted file paths. This affects all Gitea instances running vulnerable versions, potentially causing denial of service. The vulnerability is exploitable remotely without authentication.

📋 TL;DR

A stack buffer overflow vulnerability in Gitea versions 1.9.0 through 1.13.1 allows remote attackers to crash the service via specially crafted file paths. This affects all Gitea instances running vulnerable versions, potentially causing denial of service. The vulnerability is exploitable remotely without authentication.

💻 Affected Systems

Products:

Gitea

Versions: 1.9.0 through 1.13.1

Operating Systems: All platforms running Gitea

Default Config Vulnerable: ⚠️ Yes

Notes: All Gitea installations in affected version range are vulnerable regardless of configuration.

📦 What is this software?

Gitea by Gitea

View all CVEs affecting Gitea →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, though this specific CVE only documents denial of service.

🟠

Likely Case

Service crash and denial of service, requiring manual restart of Gitea.

🟢

If Mitigated

Minimal impact with proper network segmentation and updated versions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Vectors involve file path manipulation; exploitation appears straightforward based on CWE-787 classification.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.13.2 and later

Vendor Advisory: https://github.com/go-gitea/gitea/pull/14390

Restart Required: Yes

Instructions:

1. Backup your Gitea data and configuration. 2. Stop Gitea service. 3. Update to Gitea 1.13.2 or later using your package manager or manual installation. 4. Restart Gitea service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Gitea to trusted IP addresses only

iptables -A INPUT -p tcp --dport 3000 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate Gitea from untrusted networks
Deploy web application firewall (WAF) with buffer overflow protection rules

🔍 How to Verify

Check if Vulnerable:

Check Gitea version via web interface or command line: gitea --version

Check Version:

gitea --version

Verify Fix Applied:

Confirm version is 1.13.2 or higher and test file upload functionality

📡 Detection & Monitoring

Log Indicators:

Gitea service crash logs
Unexpected file path requests in access logs
Stack trace errors in application logs

Network Indicators:

Multiple connection attempts with malformed file paths
Unusual traffic patterns to file upload endpoints

SIEM Query:

source="gitea.log" AND ("panic" OR "stack overflow" OR "segmentation fault")

📊 Metadata

CVE ID: CVE-2021-3382

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-787

Published: February 5, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/go-gitea/gitea/pull/14390 Third Party Advisory
https://github.com/go-gitea/gitea/pull/14390 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3382, you might also want to check these: