logo

Database

Lack of data validation - Path Traversal In gogs.io/gogs

Description

Path Traversal in Git HTTP endpoints in Gogs

Impact

The malicious user is able to craft HTTP requests to access unauthorized Git directories. All installations with are affected.

Patches

Path cleaning has accommodated for Git HTTP endpoints. Users should upgrade to 0.12.9 or the latest 0.13.0+dev.

Workarounds

N/A

References

https://huntr.dev/bounties/22f9c074-cf60-4c67-b5c4-72fdf312609d/

For more information

If you have any questions or comments about this advisory, please post on #7002.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2022-19932. NVD-2022-19933. OSV-2022-19934. GHSA-6vcc-v9vw-g2x55. GCVE-2022-1993

References

1. https://github.com/gogs/gogs/security/advisories/GHSA-6vcc-v9vw-g2x52. https://github.com/gogs/gogs/issues/70023. https://github.com/gogs/gogs/commit/9bf748b6c4c9a17d3aa77f6b9abcfae65451febf4. https://huntr.dev/bounties/22f9c074-cf60-4c67-b5c4-72fdf312609d

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.