A vulnerability in the software projects Gitea and Gogs, which are used for self-hosted git servers, allows an attacker with access to an administrative account or an account with special privileges to execute arbitrary code on the server. The vulnerabilities have been assigned CVE-2020-14144 und CVE-2020-15867. Deactivating the git hook feature in Gitea resolves the issue. A similar functionality will be added to Gogs in version 0.13.
The full report is available for download here.
Permalink to this enty: https://url.fzi.de/en-vulns-gitea