CVE-2021-32546

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.12.8

Description The issue is caused by missing input validation in internal/db/repo editor.go, allowing an attacker to execute code remotely. An unprivileged attacker can overwrite the Git configuration in their repository, leading to Remote Command Execution. This can be achieved by creating a new file in a new repository with a custom name, renaming it to .git/config, and saving it with custom configuration content. The configuration can contain options such as sshCommand, which is executed when a master branch is a remote branch using an ssh:// URI.

Recommendations For versions prior to 0.12.8, upgrade to 0.12.8 or the latest 0.13.0+dev to resolve the issue. As a temporary workaround, consider restricting access to the repository's .git directory to minimize the risk of exploitation. Avoid using the GUI to create or rename files in the repository's .git directory until the issue is resolved.