CVE-2020-28991

Vulnerability

CVE-2020-28991 is an input validation flaw in Gitea's ParseRemoteAddr function within modules/auth/repo_form.go. In versions 0.9.99 through 1.12.x before 1.12.6, the function fails to sanitize URL-encoded newline characters (%0A or %0D%0A) when a git protocol path includes a TCP port number [1]. This allows an attacker to inject arbitrary newline sequences into the remote address.

Exploitation

An attacker can craft a malicious git remote URL that includes a TCP port and URL-encoded newlines. For example, a repository URL like git://host:port%0Acommand would be parsed without stripping the newline, potentially causing the application to interpret the subsequent text as separate commands or arguments. The attack does not require authentication if the attacker can influence a remote URL, such as through repository creation or modification requests that are processed by the server.

Impact

Successful exploitation could lead to arbitrary command execution on the Gitea server. By injecting newlines, an attacker may break out of the intended git invocation and execute shell commands with the privileges of the Gitea process. This could result in full compromise of the server, including data exfiltration, service disruption, or lateral movement within the network.

Mitigation

The vulnerability is fixed in Gitea version 1.12.6, which disallows URL-encoded newlines in git protocol paths that include a port number [3][4]. Users are strongly advised to upgrade to 1.12.6 or later. No workarounds have been publicly documented, and the issue is addressed by the patch merged in pull request #13525 [4].