CVE-2021-29134
Description
The avatar middleware in Gitea before 1.13.6 allows Directory Traversal via a crafted URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Gitea before 1.13.6 has a directory traversal vulnerability in the avatar middleware, allowing attackers to read arbitrary files via a crafted URL.
Vulnerability
The avatar middleware in Gitea before version 1.13.6 is vulnerable to directory traversal. An attacker can craft a URL that allows traversal outside the intended avatar directory, leading to arbitrary file read [1][3]. The vulnerability is present in the avatars handler and specifically the getAvatar function [3]. Versions prior to 1.13.6 are affected [1][4].
Exploitation
An attacker needs network access to the Gitea instance and the ability to send a crafted HTTP request. No authentication is required if the avatar endpoint is publicly accessible. The attacker constructs a URL with path traversal sequences (e.g., ../) to access files outside the avatar storage directory [3]. The fix in pull request #15125 removed the use of filepath.Join with user-supplied path components, which was the root cause [3].
Impact
Successful exploitation allows an unauthenticated attacker to read arbitrary files on the server file system, potentially including configuration files, database credentials, or other sensitive data. This is a confidentiality impact with high severity (CVSS 7.5) [3].
Mitigation
Gitea version 1.13.6, released on March 15, 2022, contains the fix for this vulnerability [1][4]. Users should upgrade to at least version 1.13.6 or later. There is no known workaround other than upgrading [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
code.gitea.io/giteaGo | < 1.13.6 | 1.13.6 |
Affected products
3- Gitea/Giteadescription
- osv-coords2 versions
< 1.13.6+ 1 more
- (no CPE)range: < 1.13.6
- (no CPE)range: < 1.13.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-h3q4-vmw4-cpr5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-29134ghsaADVISORY
- github.com/go-gitea/gitea/pull/15125/filesghsax_refsource_MISCWEB
- github.com/go-gitea/gitea/releases/tag/v1.13.6ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.