CVE-2018-18926 – code.gitea.io/gitea

Package

Manager: go
Name: code.gitea.io/gitea
Vulnerable Version: >=0 <1.5.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.07092 pctl0.91156

Details

Gitea Remote Code Execution (RCE) Gitea before 1.5.4 allows remote code execution because it does not properly validate session IDs. This is related to session ID handling in the go-macaron/session code for Macaron.

Metadata

Created: 2022-02-15T01:57:18Z
Modified: 2023-09-15T18:13:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-hf6f-jq25-8gq9/GHSA-hf6f-jq25-8gq9.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-hf6f-jq25-8gq9
Finding: F422
Auto approve: 1