GitHub Advisory DatabaseGHSA-6VCC-V9VW-G2X5Path Traversal in Git HTTP endpoints in Gogs
5.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
0.028 Low
EPSS
Percentile
90.7%
Impact
The malicious user is able to craft HTTP requests to access unauthorized Git directories. All installations with are affected.
Patches
Path cleaning has accommodated for Git HTTP endpoints. Users should upgrade to 0.12.9 or the latest 0.13.0+dev.
Workarounds
N/A
References
https://huntr.dev/bounties/22f9c074-cf60-4c67-b5c4-72fdf312609d/
For more information
If you have any questions or comments about this advisory, please post on #7002.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| gogs.io/gogs | lt | 0.12.9 |
References
github.com/advisories/GHSA-6vcc-v9vw-g2x5
github.com/gogs/gogs/commit/9bf748b6c4c9a17d3aa77f6b9abcfae65451febf
github.com/gogs/gogs/issues/7002
github.com/gogs/gogs/security/advisories/GHSA-6vcc-v9vw-g2x5
huntr.dev/bounties/22f9c074-cf60-4c67-b5c4-72fdf312609d
huntr.dev/bounties/22f9c074-cf60-4c67-b5c4-72fdf312609d/
nvd.nist.gov/vuln/detail/CVE-2022-1993
Related
5.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
0.028 Low
EPSS
Percentile
90.7%