A remote command execution vulnerability exists in gogs/gogs versions <=0.12.7 when deployed on a Windows server. The vulnerability arises due to improper validation of the `tree_path` parameter during file uploads. An attacker can set `tree_path=.git.` to upload a file into the .git directory, allowing them to write or rewrite the `.git/config` file. If the `core.sshCommand` is set, this can lead to remote command execution.
An attacker, without any authorization, uploads a file with the `tree_path` parameter set to `.git.`, which on Windows systems allows bypassing security measures and writing the file directly to the `.git` directory. This makes it possible to create or overwrite the `.git/config` file. If the `core.sshCommand` directive is set in the repository configuration, Git will execute the system command specified in it, leading to remote code execution (RCE).
An attacker can gain full control of the server by executing arbitrary system commands with the privileges of the Gogs process. The confidentiality, integrity, and availability of the entire system are at risk.
Gogs should be updated to a version higher than 0.12.7. Details regarding available patches are available at the address indicated in the vendor references (huntr.com). As a temporary workaround, consider restricting access to file upload functionality or migrating to a non-Windows operating system.
Gogs in versions <= 0.12.7 deployed on Microsoft Windows servers
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGogs
APPGogs≤ 0.12.7Microsoft Windows
OSMicrosoftwszystkie wersje
Related vulnerabilities
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit