github.com/gogs/gogs is vulnerable to OS Command Injection. The vulnerability exists because the isRepositoryGitPath
function of repo_editor.go
does not properly check the git path on case-insensitive file systems, which allows an attacker to upload malicious file configs into the system.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/gogs/gogs | le | v0.12.10 | |
github.com/gogs/gogs | le | v0.12.10 |
github.com/advisories/GHSA-pfvh-p8qp-9ww9
github.com/gogs/gogs/commit/15d0d6a94be0098a8227b6b95bdf2daed105ec41
github.com/gogs/gogs/commit/b1576d5a1fc7ee63ed43c71fbb6da424484d3800
github.com/gogs/gogs/pull/7359
huntr.dev/bounties/18cf9256-23ab-4098-a769-85f8da130f97
huntr.dev/bounties/18cf9256-23ab-4098-a769-85f8da130f97/