CVE-2021-32546OS Command Injection in Gogs

CWE-78OS Command Injection4 documents3 sources
Severity
8.8HIGHNVD
EPSS
1.4%
top 19.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Gogs.io GogsGogs
Timeline
PublishedJun 2
Latest updateAug 21

Description

Missing input validation in internal/db/repo_editor.go in Gogs before 0.12.8 allows an attacker to execute code remotely. An unprivileged attacker (registered user) can overwrite the Git configuration in his repository. This leads to Remote Command Execution, because that configuration can contain an option such as sshCommand, which is executed when a master branch is a remote branch (using an ssh:// URI). The remote branch can also be configured by editing the Git configuration file. One can cr

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDgogs/gogs< 0.12.8
Gogogs.io/gogs< 0.12.8

🔴Vulnerability Details

3
OSV
OS Command Injection in gogs in gogs.io/gogs2024-08-21
GHSA
OS Command Injection in gogs2022-06-02
OSV
OS Command Injection in gogs2022-06-02