GHSA-hf6f-jq25-8gq9

Suggest an improvement
Source
https://github.com/advisories/GHSA-hf6f-jq25-8gq9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-hf6f-jq25-8gq9/GHSA-hf6f-jq25-8gq9.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-hf6f-jq25-8gq9
Aliases
Published
2022-02-15T01:57:18Z
Modified
2024-08-21T15:57:39.762527Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Gitea Remote Code Execution (RCE)
Details

Gitea before 1.5.4 allows remote code execution because it does not properly validate session IDs. This is related to session ID handling in the go-macaron/session code for Macaron.

Database specific 
{
    "severity": "CRITICAL",
    "cwe_ids": [
        "CWE-94"
    ],
    "github_reviewed_at": "2021-05-12T18:25:03Z",
    "nvd_published_at": null,
    "github_reviewed": true
}
References

Affected packages

Go / code.gitea.io/gitea

Package

Name
code.gitea.io/gitea
View open source insights on deps.dev
Purl
pkg:golang/code.gitea.io/gitea

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.2