CVE-2018-20303
published 2018-12-20CVE-2018-20303: In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under…
PriorityP344high7.5CVSS 3.0
AVNACLPRNUINSUCNIHAN
EPSS
3.20%
86.5th percentile
In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to CVE-2018-18925.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gogs.io | gogs | >= 0 < 0.11.82.1218 | 0.11.82.1218 |
| gogs | gogs | < 0.11.82.1218 | 0.11.82.1218 |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
ghsa9.8CRITICAL
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Gogs up to 0.11.66 File Upload pkg/tool/path.go path traversal (EUVD-2022-3398)
vuldb·2026-05-23·CVSS 7.5
CVE-2018-20303 [HIGH] Gogs up to 0.11.66 File Upload pkg/tool/path.go path traversal (EUVD-2022-3398)
A vulnerability was found in Gogs up to 0.11.66 and classified as critical. This issue affects some unknown processing of the file pkg/tool/path.go of the component File Upload. Such manipulation leads to path traversal.
This vulnerability is uniquely identified as CVE-2018-20303. The attack can be launched remotely. No exploit exists.
It is suggested to upgrade the affected component.
OSV
Gogs Directory Traversal
osv·2022-05-14·CVSS 9.8
CVE-2018-20303 [CRITICAL] Gogs Directory Traversal
Gogs Directory Traversal
In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to CVE-2018-18925.
GHSA
Gogs Directory Traversal
ghsa·2022-05-14·CVSS 9.8
CVE-2018-20303 [CRITICAL] CWE-22 Gogs Directory Traversal
Gogs Directory Traversal
In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to CVE-2018-18925.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/gogs/gogs/commit/ff93d9dbda5cebe90d86e4b7dfb2c6b8642970cehttps://github.com/gogs/gogs/issues/5558https://pentesterlab.com/exercises/cve-2018-18925/https://github.com/gogs/gogs/commit/ff93d9dbda5cebe90d86e4b7dfb2c6b8642970cehttps://github.com/gogs/gogs/issues/5558https://pentesterlab.com/exercises/cve-2018-18925/
2018-12-20
Published