cbcvebase.
CVE-2018-18925
published 2018-11-04

CVE-2018-18925: Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session…

PriorityP270critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
31.88%
98.1th percentile
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.

Affected

3 ranges
VendorProductVersion rangeFixed in
gogs.iogogs>= 0 < 0.11.82.12180.11.82.1218
gogsgogs< 0.11.82.12180.11.82.1218
gogsgogs<= 0.11.66

Detection & IOCsextracted from sources · hover to see the quote

cookiei_like_gogits=../../../../etc/passwd
path../../../../etc/passwd
  • HTTP 500 response to a path-traversal session cookie (i_like_gogits=../../../../etc/passwd) followed by HTTP 200 to a non-existent path (../../../../etc/dummy) is the fingerprint for a vulnerable Gogs instance.
  • Monitor for session cookie values (i_like_gogits) containing '..' directory traversal sequences, indicating session-file forgery attempts against Gogs.
  • Shodan/FOFA queries can identify exposed Gogs instances: search for cpe:"cpe:2.3:a:gogs:gogs" or title="sign in - gogs".
  • ·The vulnerability is specific to Gogs 0.11.66 using the file-based session provider; instances using other session backends (e.g., database, Redis) may not be exploitable via this exact path-traversal vector.
  • ·The session ID validation flaw is rooted in the go-macaron/session library used by Macaron; any application using this library with file-based sessions may be similarly affected.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.