Login Sign Up

CVE-2021-45327

9.8 CRITICAL
Remote Code Execution SSRF

📋 TL;DR

CVE-2021-45327 is a server-side request forgery (SSRF) vulnerability in Gitea's admin and user API endpoints that improperly trusts HTTP permission methods. This allows remote attackers to execute arbitrary code on affected Gitea instances. All Gitea installations before version 1.11.2 are vulnerable.

💻 Affected Systems

Products:
  • Gitea
Versions: All versions before 1.11.2
Operating Systems: All platforms running Gitea
Default Config Vulnerable: ⚠️ Yes
Notes: All Gitea installations with admin or user API endpoints accessible are vulnerable. No special configuration required.

📦 What is this software?

Gitea by Gitea

View all CVEs affecting Gitea →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker gains full system compromise, executes arbitrary code with Gitea process privileges, and potentially pivots to other systems.

🟠

Likely Case

Attacker gains administrative access to Gitea instance, modifies repositories, steals source code, and potentially executes code within the Gitea application context.

🟢

If Mitigated

With proper network segmentation and least privilege, impact limited to Gitea application compromise without system-level access.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to Gitea API endpoints. Multiple public references demonstrate the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.11.2 and later

Vendor Advisory: https://blog.gitea.io/2020/03/gitea-1.11.2-is-released/

Restart Required: Yes

Instructions:

1. Backup Gitea data and configuration. 2. Stop Gitea service. 3. Update to Gitea 1.11.2 or later using package manager or manual installation. 4. Restart Gitea service. 5. Verify version and functionality.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict network access to Gitea API endpoints using firewall rules

iptables -A INPUT -p tcp --dport 3000 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP

Reverse Proxy Filtering

all

Configure reverse proxy to block malicious API requests

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Gitea from sensitive systems
  • Deploy web application firewall with SSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Check Gitea version via web interface or command: gitea --version

Check Version:

gitea --version

Verify Fix Applied:

Confirm version is 1.11.2 or higher and test API endpoints for proper permission validation

📡 Detection & Monitoring

Log Indicators:

  • Unusual API requests to admin/user endpoints
  • Requests with manipulated HTTP methods
  • Unexpected process execution from Gitea

Network Indicators:

  • External connections from Gitea to internal services
  • Unusual outbound traffic patterns

SIEM Query:

source="gitea.log" AND ("API" OR "admin" OR "user") AND ("POST" OR "PUT" OR "DELETE") AND status=200

📊 Metadata

CVE ID: CVE-2021-45327
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-436
Published: February 8, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45327, you might also want to check these:

CVE-2023-24813 10.0

CVE-2023-24813 is a critical vulnerability in Dompdf's SVG parsing that allows attackers to bypass U...

Same vulnerability type (CWE-436)
CVE-2024-38428 9.1

GNU Wget through version 1.24.5 incorrectly parses semicolons in the userinfo portion of URIs, poten...

Same vulnerability type (CWE-436)
CVE-2023-39481 8.8

This vulnerability allows authenticated remote attackers to execute arbitrary code as root on Softin...

Same vulnerability type (CWE-436)