Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-pfvh-p8qp-9ww9 #1596

Closed
GoVulnBot opened this issue Feb 28, 2023 · 4 comments
Closed

x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-pfvh-p8qp-9ww9 #1596

GoVulnBot opened this issue Feb 28, 2023 · 4 comments
Assignees
@zpavlinovic
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-pfvh-p8qp-9ww9, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
gogs.io/gogs 0.12.11 < 0.12.11

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: gogs.io/gogs
    versions:
      - fixed: 0.12.11
    packages:
      - package: gogs.io/gogs
description: |
    ### Impact

    The malicious user is able to update a crafted `config` file into repository's `.git` directory in combination with crafted file deletion to gain SSH access to the server on case-insensitive file systems. All installations with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) on case-insensitive file systems (Windows, macOS, etc.) are affected.

    ### Patches

    Make sanitization of upload path to `.git` directory to be case-insensitive. Users should upgrade to 0.12.11 or the latest 0.13.0+dev.

    ### Workarounds

    Disable [repository upload](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129).

    ### References

    https://huntr.dev/bounties/18cf9256-23ab-4098-a769-85f8da130f97/

    ### For more information

    If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/7030.
cves:
  - CVE-2022-2024
ghsas:
  - GHSA-pfvh-p8qp-9ww9
references:
  - advisory: https://github.com/gogs/gogs/security/advisories/GHSA-pfvh-p8qp-9ww9
  - web: https://nvd.nist.gov/vuln/detail/CVE-2022-2024
  - report: https://github.com/gogs/gogs/issues/7030
  - fix: https://github.com/gogs/gogs/commit/15d0d6a94be0098a8227b6b95bdf2daed105ec41
  - web: https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129
  - web: https://huntr.dev/bounties/18cf9256-23ab-4098-a769-85f8da130f97
  - advisory: https://github.com/advisories/GHSA-pfvh-p8qp-9ww9
@zpavlinovic zpavlinovic self-assigned this Feb 28, 2023
@zpavlinovic
Copy link
Contributor

Vulnerability in tool.

@zpavlinovic zpavlinovic added the excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. label Feb 28, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/472335 mentions this issue: data/excluded: batch add GO-2023-1596

This was referenced Jul 25, 2023
Closed
Closed
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592759 mentions this issue: data/reports: unexclude 75 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/606783 mentions this issue: data/reports: unexclude 20 reports (3)

gopherbot pushed a commit that referenced this issue Aug 20, 2024
@tatianab @gopherbot
data/reports: unexclude 20 reports (3)
f2aa411 
  - data/reports/GO-2023-1590.yaml
  - data/reports/GO-2023-1592.yaml
  - data/reports/GO-2023-1596.yaml
  - data/reports/GO-2023-1607.yaml
  - data/reports/GO-2023-1612.yaml
  - data/reports/GO-2023-1613.yaml
  - data/reports/GO-2023-1614.yaml
  - data/reports/GO-2023-1615.yaml
  - data/reports/GO-2023-1616.yaml
  - data/reports/GO-2023-1617.yaml
  - data/reports/GO-2023-1618.yaml
  - data/reports/GO-2023-1619.yaml
  - data/reports/GO-2023-1620.yaml
  - data/reports/GO-2023-1622.yaml
  - data/reports/GO-2023-1627.yaml
  - data/reports/GO-2023-1628.yaml
  - data/reports/GO-2023-1629.yaml
  - data/reports/GO-2023-1630.yaml
  - data/reports/GO-2023-1633.yaml
  - data/reports/GO-2023-1639.yaml

Updates #1590
Updates #1592
Updates #1596
Updates #1607
Updates #1612
Updates #1613
Updates #1614
Updates #1615
Updates #1616
Updates #1617
Updates #1618
Updates #1619
Updates #1620
Updates #1622
Updates #1627
Updates #1628
Updates #1629
Updates #1630
Updates #1633
Updates #1639

Change-Id: I2441a82107b88955ddb98c7d3c55b7b2fe3e3aa7
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606783
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@zpavlinovic zpavlinovic

Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zpavlinovic @gopherbot @GoVulnBot