GHSA-994f-7g86-qr56

Suggest an improvement
Source
https://github.com/advisories/GHSA-994f-7g86-qr56
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-994f-7g86-qr56/GHSA-994f-7g86-qr56.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-994f-7g86-qr56
Aliases
Published
2022-06-08T20:15:11Z
Modified
2024-08-21T15:27:19.503153Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
Summary
Path Traversal in file editor on Windows in Gogs
Details

Impact

The malicious user is able to delete and upload arbitrary file(s). All installations on Windows with repository upload enabled (default) are affected.

Patches

Path cleaning has accommodated for Windows. Users should upgrade to 0.12.9 or the latest 0.13.0+dev.

Workarounds

N/A

References

https://huntr.dev/bounties/2e8cdc57-a9cf-46ae-9088-87f09e6c90ab/

For more information

If you have any questions or comments about this advisory, please post on #7001.

Database specific
{
    "nvd_published_at": "2022-06-09T17:15:00Z",
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-08T20:15:11Z",
    "severity": "CRITICAL",
    "cwe_ids": [
        "CWE-22"
    ]
}
References

Affected packages

Go / gogs.io/gogs

Package

Name
gogs.io/gogs
View open source insights on deps.dev
Purl
pkg:golang/gogs.io/gogs

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.12.9