CVE-2021-45325
📋 TL;DR
This Server-Side Request Forgery (SSRF) vulnerability in Gitea before version 1.7.0 allows attackers to make unauthorized requests from the Gitea server to internal network resources via the OpenID URL functionality. It affects all Gitea instances running versions before 1.7.0 that have OpenID authentication enabled. Attackers can potentially access internal services that should not be exposed externally.
💻 Affected Systems
- Gitea
📦 What is this software?
Gitea by Gitea
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive internal services, retrieve credentials from metadata services (like AWS/Azure instance metadata), perform port scanning of internal networks, or pivot to attack other internal systems.
Likely Case
Attackers would typically use this to scan internal networks, access internal web applications, or retrieve information from cloud metadata services if the Gitea instance is hosted in cloud environments.
If Mitigated
With proper network segmentation and firewall rules, the impact would be limited to accessing only whitelisted external resources or specific internal services.
🎯 Exploit Status
Exploitation requires the ability to configure OpenID authentication settings, which typically requires authentication. The vulnerability is well-documented in the pull request that fixed it.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.0 and later
Vendor Advisory: https://blog.gitea.io/2019/01/gitea-1.7.0-is-released/
Restart Required: Yes
Instructions:
1. Backup your Gitea instance and database. 2. Download Gitea 1.7.0 or later from https://dl.gitea.io/gitea/. 3. Stop the Gitea service. 4. Replace the Gitea binary with the new version. 5. Restart the Gitea service. 6. Verify the version is 1.7.0 or higher.
🔧 Temporary Workarounds
Disable OpenID Authentication
allTemporarily disable OpenID authentication to prevent exploitation while planning the upgrade.
Edit app.ini configuration file and set ENABLE_OPENID_SIGNIN = false under [service] section
Network Segmentation
allImplement strict outbound firewall rules to limit what internal resources the Gitea server can access.
🧯 If You Can't Patch
- Disable OpenID authentication completely in the Gitea configuration
- Implement strict network egress filtering to limit the Gitea server's outbound connections
🔍 How to Verify
Check if Vulnerable:
Check if Gitea version is below 1.7.0 and OpenID authentication is enabled in app.ini configuration.Check Version:
./gitea --version or gitea --versionVerify Fix Applied:
Verify Gitea version is 1.7.0 or higher using the version check command and confirm OpenID functionality works without allowing SSRF.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from Gitea server to internal IP addresses
- Failed OpenID authentication attempts with unusual URLs
Network Indicators:
- Gitea server making HTTP requests to internal network ranges (10.x.x.x, 172.16.x.x, 192.168.x.x)
- Requests to cloud metadata endpoints (169.254.169.254 for AWS)
SIEM Query:
source="gitea.log" AND ("OpenID" OR "metadata") AND (destination_ip=10.0.0.0/8 OR destination_ip=172.16.0.0/12 OR destination_ip=192.168.0.0/16 OR destination_ip=169.254.169.254)