CVE-2022-1986

Name of the Vulnerable Software and Affected Versions gogs/gogs versions prior to 0.12.9

Description The issue allows a malicious user to update a crafted config file into the repository's .git directory, combined with crafted file deletion, to gain SSH access to the server. This affects all installations with repository upload enabled, which is the default setting.

Recommendations For versions prior to 0.12.9, upgrade to 0.12.9 or the latest 0.13.0+dev to resolve the issue. As a temporary workaround, consider restricting access to the .git directory to minimize the risk of exploitation.