Directory Traversal

Gogs is vulnerable to Directory Traversal. The vulnerability is due to improper input handling that allows a malicious user to write a file to an arbitrary path on the server, potentially gaining SSH access...

GHSA-VM62-9JW3-C8W3 Gogs has an argument Injection in the built-in SSH server

Impact When the built-in SSH server is enabled server STARTSSHSERVER = true, unprivileged user accounts with at least one SSH key can execute arbitrary commands on the Gogs instance with the privileges of the user specified by RUNUSER in the configuration. It allows attackers to access and alter...

Gogs has an argument Injection in the built-in SSH server

Impact When the built-in SSH server is enabled server STARTSSHSERVER = true, unprivileged user accounts with at least one SSH key can execute arbitrary commands on the Gogs instance with the privileges of the user specified by RUNUSER in the configuration. It allows attackers to access and alter...

Gogs allows argument Injection when tagging new releases

Impact Unprivileged user accounts with at least one SSH key can read arbitrary files on the system. For instance, they could leak the configuration files that could contain database credentials database and security SECRETKEY. Attackers could also exfiltrate TLS certificates, other users'...

GHSA-M27M-H5GJ-WWMG Gogs allows argument Injection when tagging new releases

Impact Unprivileged user accounts with at least one SSH key can read arbitrary files on the system. For instance, they could leak the configuration files that could contain database credentials database and security SECRETKEY. Attackers could also exfiltrate TLS certificates, other users'...

Path Traversal in file update API in gogs

Impact The malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. Patches Writing files outside repository Git directory has been prohibited via the repository file update API https://github.com/gogs/gogs/pull/7859. Users should upgrade to 0.13...

GHSA-QF5V-RP47-55GG Path Traversal in file update API in gogs

Impact The malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. Patches Writing files outside repository Git directory has been prohibited via the repository file update API https://github.com/gogs/gogs/pull/7859. Users should upgrade to 0.13...

Remote Command Execution in file editing in gogs

Impact The malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. Patches Editing symlink while changing the file name has been prohibited via the repository web editor https://github.com/gogs/gogs/pull/7857. Users should upgrade to 0.13...

GHSA-R7J8-5H9C-F6FX Remote Command Execution in file editing in gogs

Impact The malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. Patches Editing symlink while changing the file name has been prohibited via the repository web editor https://github.com/gogs/gogs/pull/7857. Users should upgrade to 0.13...

CVE-2024-55947

Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1...

CVE-2024-54148

Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1...

CVE-2024-55947 Gogs has a Path Traversal in file update API

Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1...

CVE-2024-55947

Gogs self-hosted Git service affected up to version 0.13.3. CVE-2024-55947 enables path traversal via the PutContents API, allowing writing files to arbitrary server paths and potentially SSH access. The issue is fixed in 0.13.1; later advisories (CNAs) discuss bypass attempts and continued scrut...

CVE-2024-55947 Gogs has a Path Traversal in file update API

Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1...

CVE-2024-55947 Gogs has a Path Traversal in file update API

Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1...

CVE-2024-54148 Gogs has a Path Traversal in file editing UI

Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1...

CVE-2024-54148 Gogs has a Path Traversal in file editing UI

Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1...

CVE-2024-54148

CVE-2024-54148 affects the Gogs open-source self-hosted Git service. A malicious user can commit and edit a crafted symlink file within a repository to gain SSH access to the server. The issue is reported with high/critical impact in the CVSS data and is mitigated by upgrading to version 0.13.1 o...

CVE-2024-54148 Gogs has a Path Traversal in file editing UI

Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1...

Gogs 路径遍历漏洞

Gogs Go Git Service is a self-service Git hosting service based on the Go language by the Gogs team, which supports creating and migrating public/private repositories, adding and deleting repository collaborators, and so on. A path traversal vulnerability exists in Gogs versions prior to 0.13.1,...