CVE-2022-1884
CVSS V2 None
CVSS V3 None
Description
A remote command execution vulnerability exists in gogs/gogs versions <=0.12.7 when deployed on a Windows server. The vulnerability arises due to improper validation of the `tree_path` parameter during file uploads. An attacker can set `tree_path=.git.` to upload a file into the .git directory, allowing them to write or rewrite the `.git/config` file. If the `core.sshCommand` is set, this can lead to remote command execution.
Overview
- CVE ID
- CVE-2022-1884
- Assigner
- @huntr_ai
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-11-15T10:53:00.844Z
- Last Modified Date
- 2024-11-15T19:15:02.353Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://huntr.com/bounties/9cd4e7b7-0979-4e5e-9a1c-388b58dea76b |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-1884 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1884 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-11-16 12:17:39 | Added to TrackCVE |