GMS-2022-1992: Path Traversal in Git HTTP endpoints in Gogs

June 8, 2022

Impact

The malicious user is able to craft HTTP requests to access unauthorized Git directories. All installations with are affected.

Patches

Path cleaning has accommodated for Git HTTP endpoints. Users should upgrade to 0.12.9 or the latest 0.13.0+dev.

Workarounds

N/A

References

https://huntr.dev/bounties/22f9c074-cf60-4c67-b5c4-72fdf312609d/

For more information

If you have any questions or comments about this advisory, please post on #7002.

References

github.com/advisories/GHSA-6vcc-v9vw-g2x5
github.com/gogs/gogs/commit/9bf748b6c4c9a17d3aa77f6b9abcfae65451febf
github.com/gogs/gogs/issues/7002
github.com/gogs/gogs/security/advisories/GHSA-6vcc-v9vw-g2x5
huntr.dev/bounties/22f9c074-cf60-4c67-b5c4-72fdf312609d/

Code Behaviors & Features

Detect and mitigate GMS-2022-1992 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →