Lucene search

GoogleOSV:GHSA-56J7-2PM8-RGMX

HistoryJun 02, 2022 - 8:52 p.m.

OS Command Injection in gogs

2022-06-0220:52:23

Google

osv.dev

0.004 Low

EPSS

Percentile

73.1%

JSON

Impact

The malicious user is able to update a crafted config file into repository’s .git directory with to gain SSH access to the server. All installations with repository upload enabled (default) are affected.

Patches

Repository file updates are prohibited to its .git directory. Users should upgrade to 0.12.8 or the latest 0.13.0+dev.

Workarounds

N/A

References

N/A

For more information

If you have any questions or comments about this advisory, please post on #6555.

CPENameOperatorVersion
gogs.io/gogslt0.12.8

CPE	Name	Operator	Version
	gogs.io/gogs	lt	0.12.8

References

github.com/gogs/gogs

github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129

github.com/gogs/gogs/issues/6555

github.com/gogs/gogs/pull/6986

github.com/gogs/gogs/releases

github.com/gogs/gogs/releases/tag/v0.12.8

github.com/gogs/gogs/security/advisories/GHSA-56j7-2pm8-rgmx

nvd.nist.gov/vuln/detail/CVE-2021-32546

0.004 Low

EPSS

Percentile

73.1%

JSON

Related for OSV:GHSA-56J7-2PM8-RGMX