CVE-2021-45325

MEDIUM5.3EPSS 0.30%

Gitea displaying raw OpenID error in UI

Published: 2/9/2022Modified: 8/21/2024

Also known as:GHSA-8h8p-x289-vvqrBIT-gitea-2021-45325GO-2022-0308

Description

Gitea is a project to help users set up a self-hosted Git service. Server Side Request Forgery (SSRF) vulnerability exists in Gitea before 1.7.0 using the OpenID URL. Gitea can leak sensitive information about the local network through the error provided by the UI.

Affected packages (3)

Bitnami/giteafrom 0, < 1.7.0
Go/github.com/go-gitea/giteafrom 0, < 1.7.0
Go/github.com/go-gitea/giteafrom 0, < 1.7.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (8)

ADVISORYhttps://github.com/advisories/GHSA-8h8p-x289-vvqr
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-45325
PATCHhttps://github.com/go-gitea/gitea
WEBhttps://blog.gitea.io/2019/01/gitea-1.7.0-is-released
WEBhttps://blog.gitea.io/2019/01/gitea-1.7.0-is-released/
WEBhttps://github.com/go-gitea/gitea/issues/4973
WEBhttps://github.com/go-gitea/gitea/pull/5705
WEBhttps://github.com/go-gitea/gitea/pull/5712