6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
73.1%
The malicious user is able to update a crafted config
file into repository’s .git
directory with to gain SSH access to the server. All installations with repository upload enabled (default) are affected.
Repository file updates are prohibited to its .git
directory. Users should upgrade to 0.12.8 or the latest 0.13.0+dev.
N/A
N/A
If you have any questions or comments about this advisory, please post on #6555.
CPE | Name | Operator | Version |
---|---|---|---|
gogs.io/gogs | lt | 0.12.8 |
github.com/advisories/GHSA-56j7-2pm8-rgmx
github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129
github.com/gogs/gogs/issues/6555
github.com/gogs/gogs/pull/6986
github.com/gogs/gogs/releases
github.com/gogs/gogs/releases/tag/v0.12.8
github.com/gogs/gogs/security/advisories/GHSA-56j7-2pm8-rgmx
nvd.nist.gov/vuln/detail/CVE-2021-32546
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
73.1%