logo

Database

Lack of data validation - Path Traversal In gogs.io/gogs

Description

Path Traversal in file editor on Windows in Gogs

Impact

The malicious user is able to delete and upload arbitrary file(s). All installations on Windows with repository upload enabled (default) are affected.

Patches

Path cleaning has accommodated for Windows. Users should upgrade to 0.12.9 or the latest 0.13.0+dev.

Workarounds

N/A

References

https://huntr.dev/bounties/2e8cdc57-a9cf-46ae-9088-87f09e6c90ab/

For more information

If you have any questions or comments about this advisory, please post on #7001.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2022-19922. NVD-2022-19923. OSV-2022-19924. GHSA-994f-7g86-qr565. GCVE-2022-1992

References

1. https://github.com/gogs/gogs/security/advisories/GHSA-994f-7g86-qr562. https://github.com/gogs/gogs/commit/2ca014250fbf0bba94c914d9e43b1f6d8eca3bb03. https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L1294. https://huntr.dev/bounties/2e8cdc57-a9cf-46ae-9088-87f09e6c90ab

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.