GHSA-pfvh-p8qp-9ww9: Gogs OS Command Injection vulnerability

Package

gomod gogs.io/gogs (Go)

Affected versions

< 0.12.11

Patched versions

0.12.11

Description

Impact

The malicious user is able to update a crafted config file into repository’s .git directory in combination with crafted file deletion to gain SSH access to the server on case-insensitive file systems. All installations with repository upload enabled (default) on case-insensitive file systems (Windows, macOS, etc.) are affected.

Patches

Make sanitization of upload path to .git directory to be case-insensitive. Users should upgrade to 0.12.11 or the latest 0.13.0+dev.

Workarounds

Disable repository upload.

References

https://huntr.dev/bounties/18cf9256-23ab-4098-a769-85f8da130f97/

For more information

If you have any questions or comments about this advisory, please post on gogs/gogs#7030.

References

• GHSA-pfvh-p8qp-9ww9
• https://nvd.nist.gov/vuln/detail/CVE-2022-2024
• gogs/gogs#7030
• gogs/gogs@15d0d6a
• https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129
• https://huntr.dev/bounties/18cf9256-23ab-4098-a769-85f8da130f97

unknwon published to gogs/gogs

Feb 25, 2023

Published by the National Vulnerability Database

Feb 25, 2023

Published to the GitHub Advisory Database

Feb 28, 2023

Reviewed

Feb 28, 2023

Last updated

Feb 28, 2023