6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.118 Low
EPSS
Percentile
95.3%
The malicious user is able to upload a crafted config
file into repository’s .git
directory with to gain SSH access to the server. All installations with repository upload enabled (default) are affected.
Repository file uploads are prohibited to its .git
directory. Users should upgrade to 0.12.6 or the latest 0.13.0+dev.
Disable repository files upload.
https://huntr.dev/bounties/b4928cfe-4110-462f-a180-6d5673797902/
If you have any questions or comments about this advisory, please post on #6833.
CPE | Name | Operator | Version |
---|---|---|---|
gogs.io/gogs | lt | 0.12.6 |
github.com/advisories/GHSA-5gjh-5j4f-cpwv
github.com/gogs/gogs/commit/0fef3c9082269e9a4e817274942a5d7c50617284
github.com/gogs/gogs/issues/6833
github.com/gogs/gogs/pull/6838
github.com/gogs/gogs/security/advisories/GHSA-5gjh-5j4f-cpwv
huntr.dev/bounties/b4928cfe-4110-462f-a180-6d5673797902
nvd.nist.gov/vuln/detail/CVE-2022-0415
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.118 Low
EPSS
Percentile
95.3%