Miggo Logo
Miggo Vulnerability Database
CVE-2019-11576

CVE-2019-11576:
Gitea Allows 1FA Even for 2FA-Enrolled Accounts

9.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-11576
GHSA ID
GHSA-3393-r4p5-vhqh
EPSS Score
0.59775%
CWE
CWE-287
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
code.gitea.io/giteago< 1.8.01.8.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing 2FA enforcement in API authentication flows. The GitHub PRs #6674/6676 show critical changes adding OTP checks to API context handlers. Specifically:

  1. routers/api/v1/api.go's ctxUser was modified to include 2FA verification
  2. modules/context/api.go's APIContext was updated to handle 2FA requirements These changes indicate the previous absence of 2FA checks in these authentication pathways, allowing 1FA-only access to 2FA-enabled accounts via API endpoints.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*it** ***or* *.*.* *llows *** *or us*r ***ounts t**t **v* *ompl*t** *** *nrollm*nt. I* * us*r's *r***nti*ls *r* known, t**n *n *tt**k*r *oul* s*n* t**m to t** *PI wit*out r*quirin* t** *** on*-tim* p*sswor*.

Reasoning

T** vuln*r**ility st*mm** *rom missin* *** *n*or**m*nt in *PI *ut**nti**tion *lows. T** *it*u* PRs #****/**** s*ow *riti**l ***n**s ***in* OTP ****ks to *PI *ont*xt **n*l*rs. Sp**i*i**lly: *. rout*rs/*pi/v*/*pi.*o's *txUs*r w*s mo*i*i** to in*lu** **