Nixpkgs: Vulnerability roundup 95: gitea-1.12.5: 1 advisory [7.2]

Created on 20 Oct 2020  路  2Comments  路  Source: NixOS/nixpkgs

search, files

  • [ ] [CVE-2020-14144](https://nvd.nist.gov/vuln/detail/CVE-2020-14144) CVSSv3=7.2 (nixos-20.09, nixos-unstable)

Scanned versions: nixos-20.09: ba2ec4867d7; nixos-unstable: 8133b9cb5f7.

Cc @disassembler
Cc @kolaente
Cc @ma27

security
Source
picture ckauhaus

Most helpful comment

We discussed this within the Gitea maintainers chat and think this is not a cve. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. That's like saying admin accounts on wordpress can do RCE because they can install plugins from third parties.
We never pretended to sandbox git hooks.

You can see in the PR which "fixed" that issue it only changed the default settings to mitigate the "issue" but not really fixed the problem: https://github.com/go-gitea/gitea/pull/13058

picture kolaente on 20 Oct 2020
👍53

All 2 comments

We discussed this within the Gitea maintainers chat and think this is not a cve. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. That's like saying admin accounts on wordpress can do RCE because they can install plugins from third parties.
We never pretended to sandbox git hooks.

You can see in the PR which "fixed" that issue it only changed the default settings to mitigate the "issue" but not really fixed the problem: https://github.com/go-gitea/gitea/pull/13058

kolaente picture kolaente on 20 Oct 2020
👍53

disputed

ckauhaus picture ckauhaus on 4 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

peti picture peti  路  75Comments
worldofpeace picture worldofpeace  路  103Comments
joepie91 picture joepie91  路  102Comments
nh2 picture nh2  路  76Comments
ThomasMader picture ThomasMader  路  65Comments