CVE-2022-2024

Name of the Vulnerable Software and Affected Versions gogs/gogs versions prior to 0.12.11

Description The issue allows a malicious user to update a crafted config file into a repository's .git directory, in combination with crafted file deletion, to gain SSH access to the server on case-insensitive file systems. This affects all installations with repository upload enabled, which is the default setting, on case-insensitive file systems such as Windows and macOS.

Recommendations For versions prior to 0.12.11, upgrade to 0.12.11 or the latest 0.13.0+dev to resolve the issue. As a temporary workaround, consider disabling repository upload to minimize the risk of exploitation.