CVE-2022-1884

Name of the Vulnerable Software and Affected Versions gogs/gogs versions <=0.12.7

Description A remote command execution issue exists due to improper validation of the tree path parameter during file uploads. An attacker can upload a file into the .git directory by setting tree path=.git., allowing them to write or rewrite the .git/config file. If the core.sshCommand is set, this can lead to remote command execution. The issue affects all Windows installations with repository upload enabled.

Recommendations For gogs/gogs versions <=0.12.7, upgrade to version 0.12.8 or later to resolve the issue. As a temporary workaround, consider disabling repository file uploads to minimize the risk of exploitation.