Main Vulnerability Database SB2019041511

SB2019041511 - Multiple vulnerabilities in Gitea

Published: April 15, 2019 Updated: July 17, 2020

Security Bulletin ID SB2019041511

Severity

High

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Code execution

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2019-11228)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

repo/setting.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 does not validate the form.MirrorAddress before calling SaveAddress.

2) Input validation error (CVE-ID: CVE-2019-11229)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

models/repo_mirror.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings, leading to remote code execution.

Install update from vendor's website.