Base Score

CRITICAL9.8

CVE-2018-18926

Gitea before 1.5.4 allows remote code execution because it does not properly validate session IDs. This is related to session ID handling in the go-macaron/session code for Macaron.

VectorNETWORK

Published Bycve@mitre.org

Published DateNov 04, 2018, 05:29

Affected Versions(1)

code.gitea.io/gitea(Go)

Introduced0

Fixed1.5.2

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
code.gitea.io/gitea(Go)	0	1.5.2	N/A

Weakness Type (CWE):CWE-384

CVSS Metrics

Base Score

9.8

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Severity

CRITICAL

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

https://github.com/go-gitea/gitea/issues/5140

Base Score

CRITICAL9.8

Weakness Type (CWE):CWE-384

CVSS Metrics

Base Score

9.8

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Severity

CRITICAL

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH