Gogs contains a critical-severity zero-day vulnerability with a CVSS score of 9.4 that enables remote code execution. The flaw is an argument injection issue triggered during the “Rebase before merging” merge operation. When this option is enabled, Gogs passes the pull request base branch name into git rebase without preventing injected arguments from being interpreted as flags. Because git rebase supports the -exec flag, attackers can craft malicious branch names that cause Gogs to run shell commands after replaying each commit, using the privileges of the Gogs server process user. The operation is not enabled by default, but repository owners or administrators can enable it, and any registered user becomes the owner of repositories they create. Open registration and unlimited repository creation allow unauthenticated attackers to create accounts and repositories on default instances, enabling exploitation without user interaction.
"The critical-severity issue, assigned a CVSS score of 9.4, is an argument injection flaw that can be exploited by authenticated attackers via pull requests with malicious branch names. Rapid7 explains that the pull requests inject "the -exec flag into git rebase during the 'Rebase before merging' merge operation", leading to command execution with the privileges of the Gogs server process user."
""A standard merge creates a merge commit joining two branch histories. A rebase before merge replays the head branch's commits on top of the base branch to produce a linear history," Rapid7 explains. "During rebase, the merge function passes the pull request's base branch name to the git rebase function without preventing the interpretation of subsequent arguments as flags.""
""Insufficient checks and sanitization against argument injection and the fact that git rebase accepts the -exec flag, which tells Gogs to run a shell command after replaying each commit, allows attackers to include malicious arguments in branch names, which will be executed after each replayed commit.""
""Since Gogs ships with open registration enabled by default and no limit on repository creation, an unauthenticated attacker can simply create an account and repository on any default-configured instance," the cybersecurity firm says. "Any repository owner or administrator can enable it, and any registered user automatically becomes the owner of repositories they create.""
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]