cbcvebase.
CVE-2020-15867
published 2020-10-16

CVE-2020-15867: The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. There can be a privilege escalation if access to this hook…

PriorityP271high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
87.53%
99.7th percentile
The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. There can be a privilege escalation if access to this hook feature is granted to a user who does not have administrative privileges. NOTE: because this is mentioned in the documentation but not in the UI, it could be considered a "Product UI does not Warn User of Unsafe Actions" issue.

Affected

1 ranges
VendorProductVersion rangeFixed in
gogsgogs0.5.5 – 0.12.2

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /user/login HTTP/1.1
path/{{username}}/{{randstr}}/settings/hooks/git/post-receive
command#!/bin/bash\ncurl {{interactsh-url}}
  • Exploitation involves a POST request to the git post-receive hook endpoint path matching the pattern /<user>/<repo>/settings/hooks/git/post-receive — monitor for authenticated POST requests to this path on Gogs instances.
  • The exploit flow creates a new repository, sets a post-receive git hook with a shell payload, then commits a dummy file to trigger execution — detect rapid repo creation followed by hook configuration and a commit from the same session.
  • The Nuclei template fingerprints Gogs by checking the response body for the string 'content="Gogs' — use this as a passive detection signal for exposed Gogs instances.
  • Shodan/FOFA exposure queries for vulnerable Gogs instances: search for cpe:"cpe:2.3:a:gogs:gogs" or title="sign in - gogs" to identify internet-exposed targets.
  • In the wild exploitation (JINX-0132 campaign) leverages this git-hooks RCE on Gitea/Gogs to deploy XMRig cryptominer; post-exploitation indicator is execution of xmrig connecting to pool.supportxmr.com:443.
  • Attacker-controlled Monero wallet address used in wild exploitation: 468VEByGGFQSN2bJG99ovhe5SG9SLxLAA9e2s7tWFxvBM33FAEP4JbwYHEeXexq8djYpDEHg9Jq6eGF3rREnAAc4UkjLd3E — flag any outbound connections referencing this wallet.
  • ·The vulnerability is only exploitable when a user has been granted git hook creation permissions. For non-admin users, an administrator must explicitly grant this permission; admin users have it by default.
  • ·For Gitea (the Gogs fork), the risk is mitigated in version 1.13+ where DISABLE_GIT_HOOKS defaults to true — however, an admin manually re-enabling hooks restores the attack surface.
  • ·The Metasploit module notes the Windows version of Gogs could not be tested as the git hook feature appears broken on Windows, limiting confirmed RCE to Linux deployments.
  • ·The Monero wallet address IOC is brittle — the threat actor can trivially replace it in future campaign iterations.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.