VYPR
← All advisories
High severityOSV Advisory· Published Apr 13, 2019· Updated Aug 4, 2024

CVE-2019-11228

CVE-2019-11228

Description

repo/setting.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 does not validate the form.MirrorAddress before calling SaveAddress.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Gitea before 1.7.6 and 1.8.x before 1.8-RC3 lacks validation of MirrorAddress in repo/setting.go, potentially allowing attackers to inject arbitrary mirror URLs.

Vulnerability

The vulnerability exists in repo/setting.go where the MirrorAddress field from the form is passed directly to SaveAddress without any validation. This allows an attacker to set an arbitrary URL as the mirror address for a repository [1].

Exploitation

An attacker with repository administration privileges can modify the mirror settings to point to an attacker-controlled server. The lack of validation means no checks are performed on the URL scheme, host, or path before saving [1][2].

Impact

When the mirror is updated, the Gitea instance will connect to the attacker-specified URL, potentially enabling server-side request forgery (SSRF), data exfiltration, or other network-based attacks [1].

Mitigation

The issue was patched in Gitea version 1.7.6 and version 1.8-RC3. Users should upgrade to these or later versions to protect their installations [2][3][4].

References
  1. NVD - CVE-2019-11228
  2. Release v1.7.6 · go-gitea/gitea
  3. Correctly adjust mirror url by zeripath · Pull Request #6593 · go-gitea/gitea
  4. Correctly adjust mirror url (#6593) by zeripath · Pull Request #6595 · go-gitea/gitea

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/go-gitea/giteaGo
< 1.7.61.7.6

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.