Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-994f-7g86-qr56: Path Traversal in file editor on Windows in Gogs

Impact

The malicious user is able to delete and upload arbitrary file(s). All installations on Windows with repository upload enabled (default) are affected.

Patches

Path cleaning has accommodated for Windows. Users should upgrade to 0.12.9 or the latest 0.13.0+dev.

Workarounds

N/A

References

https://huntr.dev/bounties/2e8cdc57-a9cf-46ae-9088-87f09e6c90ab/

For more information

If you have any questions or comments about this advisory, please post on #7001.

ghsa
Open in Source
#windows#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2022-1992

Path Traversal in file editor on Windows in Gogs

Critical severity GitHub Reviewed Published Jun 8, 2022 in gogs/gogs • Updated Jun 8, 2022

We are still processing this advisory. You may have affected repositories that are not yet on this list. Check back soon for more.

Package

gomod gogs.io/gogs (Go )

Affected versions

< 0.12.9

Description

Related news

CVE-2022-1992: pathutil: check both styles of `os.PathSeparator` (#7020) · gogs/gogs@2ca0142

Path Traversal in GitHub repository gogs/gogs prior to 0.12.9.

ghsa: Latest News

GHSA-pxg6-pf52-xh8x: cookie accepts cookie name, path, and domain with out of bounds characters
ghsa