Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/gogs/gogs: CVE-2021-32546 #471

Closed
GoVulnBot opened this issue Jun 2, 2022 · 3 comments
Closed
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.

Comments

@GoVulnBot
Copy link

CVE-2021-32546 references github.com/gogs/gogs, which may be a Go module.

Description:
Missing input validation in internal/db/repo_editor.go in Gogs before 0.12.8 allows an attacker to execute code remotely. An unprivileged attacker (registered user) can overwrite the Git configuration in his repository. This leads to Remote Command Execution, because that configuration can contain an option such as sshCommand, which is executed when a master branch is a remote branch (using an ssh:// URI). The remote branch can also be configured by editing the Git configuration file. One can create a new file in a new repository, using the GUI, with "" as its name, and then rename this file to .git/config with the custom configuration content (and then save it).

Links:

See doc/triage.md for instructions on how to triage this report.

module: github.com/gogs/gogs
package: n/a
description: |
    Missing input validation in internal/db/repo_editor.go in Gogs before 0.12.8 allows an attacker to execute code remotely. An unprivileged attacker (registered user) can overwrite the Git configuration in his repository. This leads to Remote Command Execution, because that configuration can contain an option such as sshCommand, which is executed when a master branch is a remote branch (using an ssh:// URI). The remote branch can also be configured by editing the Git configuration file. One can create a new file in a new repository, using the GUI, with "\" as its name, and then rename this file to .git/config with the custom configuration content (and then save it).
cves:
  - CVE-2021-32546
links:
    context:
      - https://github.com/gogs/gogs/releases
      - https://github.com/gogs/gogs/security/advisories/GHSA-56j7-2pm8-rgmx

@neild
Copy link
Contributor

neild commented Jun 14, 2022

Vulnerability in tool.

@neild neild closed this as completed Jun 14, 2022
@neild neild added excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. and removed NotGoVuln labels Aug 10, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592768 mentions this issue: data/reports: unexclude 50 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607219 mentions this issue: data/reports: unexclude 20 reports (17)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
  - data/reports/GO-2022-0457.yaml
  - data/reports/GO-2022-0458.yaml
  - data/reports/GO-2022-0459.yaml
  - data/reports/GO-2022-0471.yaml
  - data/reports/GO-2022-0473.yaml
  - data/reports/GO-2022-0480.yaml
  - data/reports/GO-2022-0482.yaml
  - data/reports/GO-2022-0483.yaml
  - data/reports/GO-2022-0490.yaml
  - data/reports/GO-2022-0491.yaml
  - data/reports/GO-2022-0494.yaml
  - data/reports/GO-2022-0495.yaml
  - data/reports/GO-2022-0496.yaml
  - data/reports/GO-2022-0497.yaml
  - data/reports/GO-2022-0498.yaml
  - data/reports/GO-2022-0499.yaml
  - data/reports/GO-2022-0500.yaml
  - data/reports/GO-2022-0501.yaml
  - data/reports/GO-2022-0502.yaml
  - data/reports/GO-2022-0505.yaml

Updates #457
Updates #458
Updates #459
Updates #471
Updates #473
Updates #480
Updates #482
Updates #483
Updates #490
Updates #491
Updates #494
Updates #495
Updates #496
Updates #497
Updates #498
Updates #499
Updates #500
Updates #501
Updates #502
Updates #505

Change-Id: I92c5f4afd83bb1c6bd9f448bc65ca730c64ce770
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607219
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.
Projects
None yet
Development

No branches or pull requests

3 participants