---

CVE-2020-28991 - log back

CVE-2020-28991 edited at 27 Nov 2020 17:10:09

Description

- Gitea 0.9.99 through 1.12.x before 1.12.6 does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in modules/auth/repo_form.go. + Gitea 0.9.99 through 1.12.x before 1.12.6 does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in modules/auth/repo_form.go, causing partial SSRF.

CVE-2020-28991 edited at 24 Nov 2020 20:35:13
Severity	- Unknown + Medium
Remote	- Unknown + Remote
Type	- Unknown + Insufficient validation
Description	+ Gitea 0.9.99 through 1.12.x before 1.12.6 does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in modules/auth/repo_form.go.
References	+ https://github.com/go-gitea/gitea/releases/tag/v1.12.6 + https://github.com/go-gitea/gitea/commit/480efbdb96e4092493ec1e3683b2ab688ac95096
Notes

CVE-2020-28991 created at 24 Nov 2020 20:27:43