CVE-2019-11229
Description
models/repo_mirror.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings, leading to remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Gitea before 1.7.6 and 1.8-RC3 mishandles mirror repo URL settings, enabling authenticated remote code execution.
Vulnerability
Details CVE-2019-11229 is a remote code execution vulnerability in Gitea, an open-source Git hosting solution, affecting versions before 1.7.6 and 1.8.x before 1.8-RC3. The flaw resides in models/repo_mirror.go, where mirror repository URL settings are improperly handled [2]. This allows an attacker to inject arbitrary Git configuration options that can lead to command execution.
Exploitation
To exploit the vulnerability, an attacker must have authenticated access to Gitea with administrative privileges over a repository, specifically the ability to modify mirror settings. By crafting a malicious URL containing Git config directives (e.g., --upload-pack), the attacker can execute arbitrary commands on the Gitea server during mirror operations [1][3]. Public exploit code exists, demonstrating the attack vector [3].
Impact
Successful exploitation grants the attacker remote code execution on the server running Gitea, potentially leading to full compromise of the application and its underlying system. The vulnerability is classified as critical (CVSS v3 base score 9.0) [2].
Mitigation
The vulnerability is fixed in Gitea versions 1.7.6 and 1.8-RC3 and later [4]. Users are strongly advised to upgrade immediately. No workarounds are available for unpatched versions.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/go-gitea/giteaGo | < 1.7.6 | 1.7.6 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-hpmr-prr2-cqc4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-11229ghsaADVISORY
- packetstormsecurity.com/files/160833/Gitea-1.7.5-Remote-Code-Execution.htmlghsax_refsource_MISCWEB
- github.com/go-gitea/gitea/pull/6593ghsaWEB
- github.com/go-gitea/gitea/pull/6595ghsaWEB
- github.com/go-gitea/gitea/releases/tag/v1.7.6ghsax_refsource_MISCWEB
- github.com/go-gitea/gitea/releases/tag/v1.8.0-rc3ghsax_refsource_MISCWEB
- www.exploit-db.com/exploits/49383ghsaWEB
News mentions
0No linked articles in our index yet.