CVE-2022-0415
published 2022-03-21CVE-2022-0415: Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6.
PriorityP275high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
65.24%
99.2th percentile
Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gogs.io | gogs | >= 0 < 0.12.6 | 0.12.6 |
| gogs | gogs | < 0.12.6 | 0.12.6 |
| gogs | gogs_gogs | >= unspecified < 0.12.6 | 0.12.6 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit uploads a malicious git 'config' file via the repository file upload endpoint (upload-file), injecting an sshCommand directive for RCE. Look for multipart POST requests to /<user>/<repo>/upload-file with a filename of 'config' and a body containing 'sshCommand'. ↗
- →After uploading the malicious config, the attacker commits it to /.git/ via POST to /_upload/master/ with tree_path=/.git/. Monitor for commit operations targeting the .git directory path. ↗
- →Exploitation requires authentication (PR:L). The attack flow is: login → create repo → upload malicious git config → commit to .git path. Authenticated sessions with repo-creation activity followed by upload-file and _upload/master/ requests are suspicious. ↗
- →Shodan/FOFA fingerprinting queries for exposed Gogs instances: search for http.title 'sign in - gogs' or CPE cpe:2.3:a:gogs:gogs to identify attack surface. ↗
- →Vulnerable versions are Gogs prior to 0.12.6. Detect via the page body containing 'content="Gogs' to confirm the target is a Gogs instance. ↗
- →Out-of-band callback (DNS/HTTP) via interactsh confirms RCE. Monitor for unexpected outbound curl/HTTP requests originating from the Gogs server process after a file upload event. ↗
- ·Exploitation requires a valid authenticated user account on the Gogs instance (CVSS PR:L). Anonymous exploitation is not possible. ↗
- ·The vulnerability is fixed in Gogs 0.12.6. Instances running 0.12.6 or later are not affected. ↗
- ·The attack abuses the git config sshCommand injection (CWE-434/CWE-20) — the malicious config file must be successfully committed to the .git/ directory path for RCE to trigger. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.9CRITICALCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Unrestricted Upload of File with Dangerous Type in Gogs in gogs.io/gogs
osv·2024-08-21
CVE-2022-0415 Unrestricted Upload of File with Dangerous Type in Gogs in gogs.io/gogs
Unrestricted Upload of File with Dangerous Type in Gogs in gogs.io/gogs
Unrestricted Upload of File with Dangerous Type in Gogs in gogs.io/gogs
GHSA
Unrestricted Upload of File with Dangerous Type in Gogs
ghsa·2022-03-28
CVE-2022-0415 [HIGH] CWE-20 Unrestricted Upload of File with Dangerous Type in Gogs
Unrestricted Upload of File with Dangerous Type in Gogs
### Impact
The malicious user is able to upload a crafted `config` file into repository's `.git` directory with to gain SSH access to the server. All installations with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) are affected.
### Patches
Repository file uploads are prohibited to its `.git` directory. Users should upgrade to 0.12.6 or the latest 0.13.0+dev.
### Workarounds
[Disable repository files upload](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L128-L129).
### References
https://huntr.dev/bounties/b4928cfe-4110-462f-a180-6d5673797902/
### For more information
If you have any questions
OSV
Unrestricted Upload of File with Dangerous Type in Gogs
osv·2022-03-28
CVE-2022-0415 [HIGH] Unrestricted Upload of File with Dangerous Type in Gogs
Unrestricted Upload of File with Dangerous Type in Gogs
### Impact
The malicious user is able to upload a crafted `config` file into repository's `.git` directory with to gain SSH access to the server. All installations with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) are affected.
### Patches
Repository file uploads are prohibited to its `.git` directory. Users should upgrade to 0.12.6 or the latest 0.13.0+dev.
### Workarounds
[Disable repository files upload](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L128-L129).
### References
https://huntr.dev/bounties/b4928cfe-4110-462f-a180-6d5673797902/
### For more information
If you have any questions
OSV
CVE-2022-0415: Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0
osv·2022-03-21·CVSS 8.8
CVE-2022-0415 [HIGH] CVE-2022-0415: Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0
Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6.
No detection rules found.
Nuclei
Gogs <0.12.6 - Remote Command Execution
nuclei·CVSS 8.8
CVE-2022-0415 [HIGH] Gogs <0.12.6 - Remote Command Execution
Gogs <0.12.6 - Remote Command Execution
Gogs before 0.12.6 is susceptible to remote command execution via the uploading repository file in GitHub repository gogs/gogs. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Template:
id: CVE-2022-0415
info:
name: Gogs <0.12.6 - Remote Command Execution
author: theamanrawat
severity: high
description: |
Gogs before 0.12.6 is susceptible to remote command execution via the uploading repository file in GitHub repository gogs/gogs. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
impact: |
Successful exploitation o
No writeups or analysis indexed.
2022-03-21
Published