CVE-2020-28991 log

Severity Medium
Remote Yes
Type Insufficient validation
Gitea 0.9.99 through 1.12.x before 1.12.6 does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in modules/auth/repo_form.go, causing partial SSRF.
Group Package Affected Fixed Severity Status Ticket
AVG-1299 gitea 1.12.5-1 1.12.6-1 Medium Fixed
Date Advisory Group Package Severity Type
26 Nov 2020 ASA-202011-26 AVG-1299 gitea Medium insufficient validation