x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-958j-443g-7mm7

[julieqiu]

In GitHub Security Advisory GHSA-958j-443g-7mm7, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
gogs.io/gogs	0.12.8	< 0.12.8

See doc/triage.md for instructions on how to triage this report.

packages:
  - package: gogs.io/gogs
    versions:
      - fixed: 0.12.8
description: |
    ### Impact

    The malicious user is able to upload a crafted `config` file into repository's `.git` directory with to gain SSH access to the server. All Windows installations with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) are affected.

    ### Patches

    Repository file uploads are prohibited to its `.git` directory. Users should upgrade to 0.12.8 or the latest 0.13.0+dev.

    ### Workarounds

    [Disable repository files upload](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L128-L129).

    ### References

    https://www.huntr.dev/bounties/9cd4e7b7-0979-4e5e-9a1c-388b58dea76b/

    ### For more information

    If you have any questions or comments about this advisory, please post on #6968.
published: 2022-06-02T20:50:21Z
last_modified: 2022-06-02T20:50:23Z
cves:
  - CVE-2022-1884
ghsas:
  - GHSA-958j-443g-7mm7
links:
    context:
      - https://github.com/advisories/GHSA-958j-443g-7mm7

[tatianab]

Code is not importable

[gopherbot]

Change https://go.dev/cl/592770 mentions this issue: data/reports: unexclude 50 reports

[gopherbot]

Change https://go.dev/cl/607223 mentions this issue: data/reports: unexclude 20 reports (21)