CVE-2020-28991 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Insufficient validation
Description	Gitea 0.9.99 through 1.12.x before 1.12.6 does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in modules/auth/repo_form.go, causing partial SSRF.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1299	gitea	1.12.5-1	1.12.6-1	Medium	Fixed

Date	Advisory	Group	Package	Severity	Type
26 Nov 2020	ASA-202011-26	AVG-1299	gitea	Medium	insufficient validation

References
https://github.com/go-gitea/gitea/releases/tag/v1.12.6 https://github.com/go-gitea/gitea/commit/480efbdb96e4092493ec1e3683b2ab688ac95096