Remote Command Execution Vulnerability in Gogs
CVE-2022-1884
9.8CRITICAL
What is CVE-2022-1884?
A remote command execution vulnerability is present in Gogs versions prior to 0.12.7 when deployed on Windows servers. This issue is caused by insufficient validation of the tree_path parameter during file uploads, which allows an attacker to manipulate the upload destination. By setting the tree_path to .git., an attacker can upload files to the sensitive .git directory. This can lead to unauthorized modifications of the .git/config file. If the core.sshCommand is configured, it opens the door for remote command execution, potentially enabling attackers to execute arbitrary commands on the affected system.
Affected Version(s)
gogs/gogs <= unspecified
