x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-phm4-wf3h-pc3r

[GoVulnBot]

Advisory GHSA-phm4-wf3h-pc3r references a vulnerability in the following Go modules:

Module
gogs.io/gogs

Description:
Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go.

References:

• ADVISORY: GHSA-phm4-wf3h-pc3r
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-44625
• WEB: https://fysac.github.io/posts/2024/11/unpatched-remote-code-execution-in-gogs
• WEB: https://gogs.io

Cross references:

• gogs.io/gogs appears in 23 other report(s):
  • data/excluded/GO-2023-1967.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-9hxg-w7qf-hh93 #1967) NOT_IMPORTABLE
  • data/reports/GO-2022-0369.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-gw5h-h6hj-f56g #369)
  • data/reports/GO-2022-0377.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-q347-cg56-pcq4 #377)
  • data/reports/GO-2022-0471.yaml (x/vulndb: potential Go vuln in github.com/gogs/gogs: CVE-2021-32546 #471)
  • data/reports/GO-2022-0473.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-pj96-4jhv-v792 #473)
  • data/reports/GO-2022-0483.yaml (x/vulndb: potential Go vuln in github.com/gogs/gogs: CVE-2022-31038 #483)
  • data/reports/GO-2022-0554.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-5gjh-5j4f-cpwv #554)
  • data/reports/GO-2022-0556.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-67mx-jc2f-jgjm #556)
  • data/reports/GO-2022-0562.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-6vcc-v9vw-g2x5 #562)
  • data/reports/GO-2022-0566.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-7v5r-r995-q2x2 #566)
  • data/reports/GO-2022-0570.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-994f-7g86-qr56 #570)
  • data/reports/GO-2022-0583.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-w689-557m-2cvq #583)
  • data/reports/GO-2022-0597.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-ff28-f46g-r9g8 #597)
  • data/reports/GO-2022-0642.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-9hx4-qm7h-x84j #642)
  • data/reports/GO-2022-0749.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-958j-443g-7mm7 #749)
  • data/reports/GO-2022-0788.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-4c7m-vv47-7c69 #788)
  • data/reports/GO-2022-0797.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-5r2v-6gm6-vpvh #797)
  • data/reports/GO-2022-0822.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-cpgw-2wxr-pww3 #822)
  • data/reports/GO-2022-0831.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-g6xv-8q23-w2q3 #831)
  • data/reports/GO-2022-1060.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-mcjj-2fvq-mc3r #1060)
  • data/reports/GO-2023-1596.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-pfvh-p8qp-9ww9 #1596)
  • data/reports/GO-2023-1971.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-fg3x-rwq9-74cw #1971)
  • data/reports/GO-2023-1972.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-px5r-fqj6-r2f8 #1972)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: gogs.io/gogs
      vulnerable_at: 0.13.0
summary: Unpatched Remote Code Execution in Gogs in gogs.io/gogs
cves:
    - CVE-2024-44625
ghsas:
    - GHSA-phm4-wf3h-pc3r
references:
    - advisory: https://github.com/advisories/GHSA-phm4-wf3h-pc3r
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-44625
    - web: https://fysac.github.io/posts/2024/11/unpatched-remote-code-execution-in-gogs
    - web: https://gogs.io
source:
    id: GHSA-phm4-wf3h-pc3r
    created: 2024-11-15T22:01:20.022370039Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/629356 mentions this issue: data/reports: add 9 unreviewed reports