Gitea is a lightweight, self-hosted forge for Git repositories, an open-source alternative to GitHub or GitLab. We estimate that JINX-0132 achieves their initial foothold on the target host by exploiting a vulnerability or misconfiguration. We are unsure what method they used in each case, but there are several likely options, as we shall explain.
Older versions of Gitea can be susceptible to post-authentication remote code execution (RCE) due to an insecure default vulnerability (CVE-2020-14144), but there are multiple prerequisites for exploitation: in versions 1.1.0 through 1.12.5, the flag DISABLE_GIT_HOOKS defaults to false, so any user with permission to create git hooks can add a post-receive script that runs with Gitea’s OS privileges. Note that this vulnerability also affects Gogs (CVE-2020-15867), from which Gitea was forked.
Version 1.13 changed the default of DISABLE_GIT_HOOKS to true, but the risk can resurface if an admin manually overrides this setting and re-enables hooks. In either case, since exploitation is post-authentication, the vulnerability can only realistically be exploited for remote RCE if the attacker has either obtained access to an existing user with permission to create git hooks, or if they’re able to create a new user - assuming the instance has been configured to allow open registration - and all users have been auto-assigned permissions to create git hooks
Additionally, the short-lived 1.4.0 release is affected by an unauthenticated RCE: a logic flaw lets a remote user write an LFS object without authentication, path-traverse to read ../../../custom/conf/app.ini, forge an admin session, and then exploit the same hook mechanism for code execution. The bug was fixed in version 1.4.1, but wasn’t assigned a CVE.
A separate, independent risk arises if the installer remains unlocked (INSTALL_LOCK=false), as anyone with access to the instance can simply re-run the installation wizard and overwrite the configuration, including resetting admin credentials.
In summary, publicly exposed instances of Gitea are vulnerable to RCE under any of the following conditions:
- The attacker has access to an existing user with permission to create git hooks, or Gitea has been configured to allow open registration and all users have been auto-assigned permissions to create git hooks. Additionally, git hooks are either enabled by default (if running version 1.1.0 through 1.12.5) or enabled manually (in later versions).
- Simply running version 1.4.0.
- The installation page was left unlocked.