Fluid Attacks Database

Description

OS Command Injection in gogs

Impact

The malicious user is able to update a crafted config file into repository's .git directory with to gain SSH access to the server. All installations with repository upload enabled (default) are affected.

Patches

Repository file updates are prohibited to its .git directory. Users should upgrade to 0.12.8 or the latest 0.13.0+dev.

Workarounds

N/A

References

N/A

For more information

If you have any questions or comments about this advisory, please post on #6555.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	gogs.io/gogs	>=0 <0.12.8	0.12.8

Aliases

1. CVE-2021-325462. NVD-2021-325463. OSV-2021-325464. GHSA-56j7-2pm8-rgmx5. GCVE-2021-32546

References

1. https://github.com/gogs/gogs/security/advisories/GHSA-56j7-2pm8-rgmx2. https://github.com/gogs/gogs/issues/65553. https://github.com/gogs/gogs/pull/69864. https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L1295. https://github.com/gogs/gogs/releases6. https://github.com/gogs/gogs/releases/tag/v0.12.8

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.