Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-5gjh-5j4f-cpwv

GitHub Security Advisory

Unrestricted Upload of File with Dangerous Type in Gogs

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact

The malicious user is able to upload a crafted `config` file into repository's `.git` directory with to gain SSH access to the server. All installations with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) are affected.

### Patches

Repository file uploads are prohibited to its `.git` directory. Users should upgrade to 0.12.6 or the latest 0.13.0+dev.

### Workarounds

[Disable repository files upload](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L128-L129).

### References

https://huntr.dev/bounties/b4928cfe-4110-462f-a180-6d5673797902/

### For more information

If you have any questions or comments about this advisory, please post on #6833.

Affected Packages

Go gogs.io/gogs
Affected versions: 0 (fixed in 0.12.6)

Related CVEs

CVE-2022-0415

Key Information

GHSA ID
GHSA-5gjh-5j4f-cpwv
Published
March 28, 2022 4:46 PM
Last Modified
March 28, 2022 4:46 PM
CVSS Score
7.5 /10
Primary Ecosystem
Go
Primary Package
gogs.io/gogs
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 12, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.