Gogs.Io Gogs vulnerabilities

CVE-2024-56731 [CRITICAL] CWE-552 Gogs allows deletion of internal files which leads to remote command execution Gogs allows deletion of internal files which leads to remote command execution ### Summary Due to the insufficient patch for the CVE-2024-39931, it's still possible to delete files under the `.git` directory and achieve remote command execution. ### Details In the patch for CVE-2024-39931, the following check is added: https://github.com/gogs/gogs/commit/77a4a945ae9a87f77e392e9066b5

CVE-2024-39931 [CRITICAL] CWE-552 Gogs allows deletion of internal files Gogs allows deletion of internal files ### Impact Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by `RUN_USER` in the configuration. It allows attackers to access and alter any users' code hosted on the same instance. ### Patches Deletion of `.git` files has been prohibited (https://github.com/gogs/gogs/pull/7870). Users should upgrade to 0.13.

CVE-2024-39930 [CRITICAL] CWE-88 Gogs has an argument Injection in the built-in SSH server Gogs has an argument Injection in the built-in SSH server ### Impact When the built-in SSH server is enabled (`[server] START_SSH_SERVER = true`), unprivileged user accounts with at least one SSH key can execute arbitrary commands on the Gogs instance with the privileges of the user specified by `RUN_USER` in the configuration. It allows attackers to access and alter any users' code hosted on the same in

CVE-2024-39932 [CRITICAL] CWE-94 Gogs allows argument injection during the previewing of changes Gogs allows argument injection during the previewing of changes ### Impact Unprivileged user accounts can write to arbitrary files on the filesystem. We could demonstrate its exploitation to force a re-installation of the instance, granting administrator rights. It allows accessing and altering any user's code hosted on the same instance. ### Patches Unintended Git options has been ignored for di

CVE-2024-54148 [HIGH] CWE-22 Remote Command Execution in file editing in gogs Remote Command Execution in file editing in gogs ### Impact The malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. ### Patches Editing symlink while changing the file name has been prohibited via the repository web editor (https://github.com/gogs/gogs/pull/7857). Users should upgrade to 0.13.1 or the latest 0.14.0+dev. ### Workarounds No viable worka

CVE-2024-55947 [HIGH] CWE-22 Path Traversal in file update API in gogs Path Traversal in file update API in gogs ### Impact The malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. ### Patches Writing files outside repository Git directory has been prohibited via the repository file update API (https://github.com/gogs/gogs/pull/7859). Users should upgrade to 0.13.1 or the latest 0.14.0+dev. ### Workarounds No viable workaround availabl

CVE-2024-39933 [HIGH] CWE-88 Gogs allows argument Injection when tagging new releases Gogs allows argument Injection when tagging new releases ### Impact Unprivileged user accounts with at least one SSH key can read arbitrary files on the system. For instance, they could leak the configuration files that could contain database credentials (`[database] *`) and `[security] SECRET_KEY`. Attackers could also exfiltrate TLS certificates, other users' repositories, and the Gogs database when the SQL

CVE-2024-44625 [HIGH] CWE-22 Remote Code Execution in Gogs Remote Code Execution in Gogs Gogs <0.13.2 is vulnerable to symbolic link path traversal that enables remote code execution via the editFilePost function of internal/route/repo/editor.go.

CVE-2022-2024 [CRITICAL] CWE-78 Gogs OS Command Injection vulnerability Gogs OS Command Injection vulnerability ### Impact The malicious user is able to update a crafted `config` file into repository's `.git` directory in combination with crafted file deletion to gain SSH access to the server on case-insensitive file systems. All installations with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) on case-in

CVE-2022-32174 [CRITICAL] CWE-79 Gogs vulnerable to Cross-site Scripting Gogs vulnerable to Cross-site Scripting In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover.

CVE-2022-1986 [CRITICAL] CWE-78 OS Command Injection in file editor in Gogs OS Command Injection in file editor in Gogs ### Impact The malicious user is able to update a crafted `config` file into repository's `.git` directory in combination with crafted file deletion to gain SSH access to the server. All installations with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) are affected. ### Patches File de

CVE-2022-1992 [CRITICAL] CWE-22 Path Traversal in file editor on Windows in Gogs Path Traversal in file editor on Windows in Gogs ### Impact The malicious user is able to delete and upload arbitrary file(s). All installations on Windows with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) are affected. ### Patches Path cleaning has accommodated for Windows. Users should upgrade to 0.12.9 or the latest 0.

CVE-2022-1993 [HIGH] CWE-22 Path Traversal in Git HTTP endpoints in Gogs Path Traversal in Git HTTP endpoints in Gogs ### Impact The malicious user is able to craft HTTP requests to access unauthorized Git directories. All installations with are affected. ### Patches Path cleaning has accommodated for Git HTTP endpoints. Users should upgrade to 0.12.9 or the latest 0.13.0+dev. ### Workarounds N/A ### References https://huntr.dev/bounties/22f9c074-cf60-4c67-b5c4-72fdf312609d/ ### For mor

CVE-2022-31038 [MEDIUM] CWE-79 Cross-site Scripting vulnerability in repository issue list in Gogs Cross-site Scripting vulnerability in repository issue list in Gogs ### Impact `DisplayName` allows all the characters from users, which leads to an XSS vulnerability when directly displayed in the issue list. ### Patches `DisplayName` is sanitized before being displayed. Users should upgrade to 0.12.9 or the latest 0.13.0+dev. ### Workarounds Check and update the existing users' display names t

CVE-2022-1285 [HIGH] CWE-918 Server-Side Request Forgery in gogs webhook Server-Side Request Forgery in gogs webhook ### Impact The malicious user is able to discover services in the internal network through webhook functionality. All installations accepting public traffic are affected. ### Patches Webhook payload URLs are revalidated before each delivery to make sure they are not resolved to blocked local network addresses. Users should upgrade to 0.12.8 or the latest 0.13.0+dev. ### Worka

CVE-2021-32546 [CRITICAL] CWE-78 OS Command Injection in gogs OS Command Injection in gogs ### Impact The malicious user is able to update a crafted `config` file into repository's `.git` directory with to gain SSH access to the server. All installations with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) are affected. ### Patches Repository file updates are prohibited to its `.git` directory. Users sho

CVE-2022-1884 [CRITICAL] CWE-77 OS Command Injection in gogs OS Command Injection in gogs ### Impact The malicious user is able to upload a crafted `config` file into repository's `.git` directory with to gain SSH access to the server. All Windows installations with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) are affected. ### Patches Repository file uploads are prohibited to its `.git` directory. Us

CVE-2022-1464 [MEDIUM] CWE-79 Cross-site Scripting in Gogs Cross-site Scripting in Gogs ### Impact The malicious user is able to upload a crafted SVG file as the issue attachment to archive XSS. All installations [allow uploading SVG (`text/xml`) files as issue attachments (non-default)](https://github.com/gogs/gogs/blob/e51e01683408e10b3dcd2ace65e259ca7f0fd61b/conf/app.ini#L283-L284) are affected. ### Patches Correctly setting the Content Security Policy for the serving endpoint. Users shou

CVE-2018-20303 [CRITICAL] CWE-22 Gogs Directory Traversal Gogs Directory Traversal In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to CVE-2018-18925.

CVE-2018-15192 [HIGH] CWE-918 Gogs and Gitea SSRF Vulnerability Gogs and Gitea SSRF Vulnerability An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services.