First published: Tue Nov 24 2020(Updated: )
Gitea 0.9.99 through 1.12.x before 1.12.6 does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in modules/auth/repo_form.go.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Gitea Gitea | >=0.9.99<1.12.6 | |
go/github.com/go-gitea/gitea | >=0.9.99<1.12.6 | 1.12.6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2020-28991 is critical with a value of 9.8.
Gitea versions 0.9.99 through 1.12.x before 1.12.6 are affected by CVE-2020-28991.
CVE-2020-28991 allows an attacker to specify a TCP port number and include newlines in the git protocol path.
Yes, the fix for CVE-2020-28991 is included in Gitea version 1.12.6.
You can find more information about CVE-2020-28991 in the following references: [1] [2].