CVE-2022-2024OS Command Injection in Gogs

CWE-78OS Command InjectionCWE-400Uncontrolled Resource ConsumptionCWE-476NULL Pointer DereferenceCWE-787Out-of-bounds WriteCWE-284Improper Access ControlCWE-327Use of a Broken or Risky Cryptographic AlgorithmCWE-347Improper Verification of Cryptographic SignatureCWE-369Divide By ZeroCWE-22Path TraversalCWE-426Untrusted Search PathCWE-1303Non-Transparent Sharing of Microarchitectural ResourcesCWE-59Link FollowingCWE-416Use After FreeCWE-407Inefficient Algorithmic ComplexityCWE-789Memory Allocation with Excessive Size Value44 documents15 sources
Severity
9.8CRITICALNVD
GHSA7.5OSV6.5OSV5.5OSV4.7
EPSS
42.3%
top 2.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
52
Gogs GogsGogs.io GogsGogs+49 more
Timeline
PublishedFeb 25
Latest updateMar 24

Description

OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages52 packages

NVDgogs/gogs< 0.12.11
Gogogs.io/gogs< 0.12.11
CVEListV5gogs/gogs_gogsunspecified0.12.11
PyPIauthlib/authlib< 1.3.1
Ubuntulinux/linux_kernel< 5.15.0-106.116+2

Patches

Patch: github.comPatch: huntr.devPatch: github.com

🔴Vulnerability Details

13
OSV
linux-azure, linux-azure-4.15 vulnerabilities2026-03-24
OSV
linux-gcp-fips vulnerabilities2026-02-11
OSV
linux, linux-aws, linux-aws-hwe, linux-hwe, linux-kvm, linux-oracle vulnerabilities2026-01-29
OSV
libarchive vulnerabilities2024-10-16
OSV
linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities2024-09-26

📋Vendor Advisories

11
Ivanti
Ivanti Security Advisory: CVE-2024-131662025-01-14
Ivanti
Ivanti Security Advisory: CVE-2024-131582025-01-14
Ivanti
Ivanti Security Advisory: CVE-2024-131722025-01-14
Red Hat
kernel: xen: netfront: Backend can crash Linux netfront (Xen Security Advisory 465)2024-12-17
Oracle
Oracle Oracle Communications Risk Matrix: Platform (OpenSSL) — CVE-2022-20682024-10-15

🕵️Threat Intelligence

2
Krebs
Microsoft Patch Tuesday, February 2025 Edition2025-02-12
Krebs
Microsoft Patch Tuesday, July 2024 Edition2024-07-09

📐Framework References

1
ATT&CK
APT28 Nearest Neighbor Campaign

💬Community

1
Bugzilla
CVE-2022-48619 kernel: event code falling outside of a bitmap in input_set_capability() leads to panic2024-01-12