OS Command Injection in gogs

2022-06-0220:50:21

Google

osv.dev

command injection

gogs

ssh access

windows

patch

workaround

security advisory

JSON

Impact

The malicious user is able to upload a crafted config file into repository’s .git directory with to gain SSH access to the server. All Windows installations with repository upload enabled (default) are affected.

Patches

Repository file uploads are prohibited to its .git directory. Users should upgrade to 0.12.8 or the latest 0.13.0+dev.

Workarounds

Disable repository files upload.

References

https://www.huntr.dev/bounties/9cd4e7b7-0979-4e5e-9a1c-388b58dea76b/

For more information

If you have any questions or comments about this advisory, please post on #6968.

References

github.com/gogs/gogs

github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129

github.com/gogs/gogs/issues/6968

github.com/gogs/gogs/pull/6970

github.com/gogs/gogs/releases/tag/v0.12.8

github.com/gogs/gogs/security/advisories/GHSA-958j-443g-7mm7

www.huntr.dev/bounties/9cd4e7b7-0979-4e5e-9a1c-388b58dea76b

JSON

Related for OSV:GHSA-958J-443G-7MM7