Closed
Description
In GitHub Security Advisory GHSA-958j-443g-7mm7, there is a vulnerability in the following Go packages or modules:
| Unit | Fixed | Vulnerable Ranges |
|---|---|---|
| gogs.io/gogs | 0.12.8 | < 0.12.8 |
See doc/triage.md for instructions on how to triage this report.
packages:
- package: gogs.io/gogs
versions:
- fixed: 0.12.8
description: |
### Impact
The malicious user is able to upload a crafted `config` file into repository's `.git` directory with to gain SSH access to the server. All Windows installations with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) are affected.
### Patches
Repository file uploads are prohibited to its `.git` directory. Users should upgrade to 0.12.8 or the latest 0.13.0+dev.
### Workarounds
[Disable repository files upload](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L128-L129).
### References
https://www.huntr.dev/bounties/9cd4e7b7-0979-4e5e-9a1c-388b58dea76b/
### For more information
If you have any questions or comments about this advisory, please post on #6968.
published: 2022-06-02T20:50:21Z
last_modified: 2022-06-02T20:50:23Z
cves:
- CVE-2022-1884
ghsas:
- GHSA-958j-443g-7mm7
links:
context:
- https://github.com/advisories/GHSA-958j-443g-7mm7