Advisories for Golang/Gogs.io/Gogs package

2023
2022

Path Traversal in Git HTTP endpoints in Gogs

Impact The malicious user is able to craft HTTP requests to access unauthorized Git directories. All installations with are affected. Patches Path cleaning has accommodated for Git HTTP endpoints. Users should upgrade to 0.12.9 or the latest 0.13.0+dev. Workarounds N/A References https://huntr.dev/bounties/22f9c074-cf60-4c67-b5c4-72fdf312609d/ For more information If you have any questions or comments about this advisory, please post on #7002.

Path Traversal in file editor on Windows in Gogs

Impact The malicious user is able to delete and upload arbitrary file(s). All installations on Windows with repository upload enabled (default) are affected. Patches Path cleaning has accommodated for Windows. Users should upgrade to 0.12.9 or the latest 0.13.0+dev. Workarounds N/A References https://huntr.dev/bounties/2e8cdc57-a9cf-46ae-9088-87f09e6c90ab/ For more information If you have any questions or comments about this advisory, please post on #7001.

OS Command Injection in file editor in Gogs

Impact The malicious user is able to update a crafted config file into repository's .git directory in combination with crafted file deletion to gain SSH access to the server. All installations with repository upload enabled (default) are affected. Patches File deletions are prohibited to repository's .git directory. Users should upgrade to 0.12.9 or the latest 0.13.0+dev. Workarounds N/A References https://huntr.dev/bounties/776e8f29-ff5e-4501-bb9f-0bd335007930/ For more information If you have any questions or comments …

OS Command Injection in gogs

Impact The malicious user is able to upload a crafted config file into repository's .git directory with to gain SSH access to the server. All Windows installations with repository upload enabled (default) are affected. Patches Repository file uploads are prohibited to its .git directory. Users should upgrade to 0.12.8 or the latest 0.13.0+dev. Workarounds Disable repository files upload. References https://www.huntr.dev/bounties/9cd4e7b7-0979-4e5e-9a1c-388b58dea76b/ For more information If you have any questions or comments …

OS Command Injection in gogs

Missing input validation in internal/db/repo_editor.go in Gogs before 0.12.8 allows an attacker to execute code remotely. An unprivileged attacker (registered user) can overwrite the Git configuration in his repository. This leads to Remote Command Execution, because that configuration can contain an option such as sshCommand, which is executed when a master branch is a remote branch (using an ssh:// URI). The remote branch can also be configured by editing the …

SSRF in repository migration

Impact The malicious user is able to discover services in the internal network through repository migration functionality. All installations accepting public traffic are affected. Patches Internal network CIDRs are prohibited to be used as repository migration targets. Users should upgrade to 0.12.5 or the latest 0.13.0+dev. Workarounds Run Gogs in its own private network. References https://www.huntr.dev/bounties/327797d7-ae41-498f-9bff-cc0bf98cf531/ For more information If you have any questions or comments about this advisory, please …

Improper Authorization in Gogs

Impact Expired PAM accounts and accounts with expired passwords are continued to be seen as valid. Installations use PAM as authentication sources are affected. Patches Expired PAM accounts and accounts with expired passwords are no longer being seen as valid. Users should upgrade to 0.12.5 or the latest 0.13.0+dev. Workarounds In addition to marking PAM accounts as expired, also disable/lock them. Running usermod -L <username> will add an exclamation mark …

2021