CVE-2021-45330
📋 TL;DR
This vulnerability in Gitea allows a malicious user to maintain access to a session even after logout due to improper cookie deletion on the client side and session persistence on the server side. This affects all Gitea instances up to version 1.15.7, potentially allowing attackers to reuse valid sessions and escalate privileges.
💻 Affected Systems
- Gitea
📦 What is this software?
Gitea by Gitea
⚠️ Risk & Real-World Impact
Worst Case
An attacker could maintain persistent access to a compromised account, perform unauthorized actions, escalate privileges to administrative levels, and potentially compromise the entire Gitea instance and connected systems.
Likely Case
Attackers who obtain session cookies through various means (XSS, MITM, stolen devices) can maintain access to user accounts even after legitimate users log out, leading to unauthorized access and data manipulation.
If Mitigated
With proper session management controls and network segmentation, impact is limited to isolated Gitea instances with minimal lateral movement potential.
🎯 Exploit Status
Exploitation requires obtaining valid session cookies through other means (XSS, MITM, credential theft). Once cookies are obtained, maintaining access is trivial.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.15.8 and later
Vendor Advisory: https://github.com/go-gitea/gitea/security/advisories/GHSA-4hq8-gm82-5g9p
Restart Required: Yes
Instructions:
1. Backup your Gitea instance and database. 2. Download Gitea 1.15.8 or later from https://github.com/go-gitea/gitea/releases. 3. Stop the Gitea service. 4. Replace the Gitea binary with the new version. 5. Restart the Gitea service. 6. Verify the version is updated.
🔧 Temporary Workarounds
Force session invalidation on logout
allImplement custom middleware to force server-side session deletion on logout events
Custom code modification required - not command-line applicable
Reduce session lifetime
allConfigure shorter session timeout values in app.ini to limit exposure window
Edit app.ini: SESSION_LIFE_TIME = 3600 (1 hour instead of default 7 days)
🧯 If You Can't Patch
- Implement network segmentation to isolate Gitea from critical systems
- Enable detailed session logging and monitor for abnormal session patterns
🔍 How to Verify
Check if Vulnerable:
Check Gitea version: if version is 1.15.7 or earlier, the system is vulnerableCheck Version:
./gitea --version or check web interface footerVerify Fix Applied:
After patching, test logout functionality: 1. Log in, 2. Log out, 3. Attempt to reuse old session cookies - should be rejected📡 Detection & Monitoring
Log Indicators:
- Multiple successful logins from same session ID after logout events
- Session reuse from different IP addresses
- Extended session duration beyond configured limits
Network Indicators:
- Unusual authentication patterns
- Session cookies being used from unexpected locations
SIEM Query:
source="gitea.log" AND ("session" AND "reuse" OR "invalid session" NOT "destroyed")