GHSA-56j7-2pm8-rgmx

Suggest an improvement
Source
https://github.com/advisories/GHSA-56j7-2pm8-rgmx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-56j7-2pm8-rgmx/GHSA-56j7-2pm8-rgmx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-56j7-2pm8-rgmx
Aliases
Published
2022-06-02T20:52:23Z
Modified
2024-08-21T15:41:56.214330Z
Summary
OS Command Injection in gogs
Details

Impact

The malicious user is able to update a crafted config file into repository's .git directory with to gain SSH access to the server. All installations with repository upload enabled (default) are affected.

Patches

Repository file updates are prohibited to its .git directory. Users should upgrade to 0.12.8 or the latest 0.13.0+dev.

Workarounds

N/A

References

N/A

For more information

If you have any questions or comments about this advisory, please post on #6555.

Database specific
{
    "nvd_published_at": "2022-06-02T14:15:00Z",
    "cwe_ids": [
        "CWE-78"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-02T20:52:23Z"
}
References

Affected packages

Go / gogs.io/gogs

Package

Name
gogs.io/gogs
View open source insights on deps.dev
Purl
pkg:golang/gogs.io/gogs

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.12.8