Remote Command Execution Vulnerability in Gogs
CVE-2022-1884
9.8CRITICAL
Key Information:
- Vendor
- Gogs
- Status
- Gogs/gogs
- Vendor
- CVE Published:
- 15 November 2024
Summary
A remote command execution vulnerability is present in Gogs versions prior to 0.12.7 when deployed on Windows servers. This issue is caused by insufficient validation of the tree_path parameter during file uploads, which allows an attacker to manipulate the upload destination. By setting the tree_path to .git., an attacker can upload files to the sensitive .git directory. This can lead to unauthorized modifications of the .git/config file. If the core.sshCommand is configured, it opens the door for remote command execution, potentially enabling attackers to execute arbitrary commands on the affected system.
Affected Version(s)
gogs/gogs <= unspecified
References
CVSS V3.1
Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved