Login Sign Up

CVE-2021-32546

8.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-32546 is a remote code execution vulnerability in Gogs Git hosting software. Unauthenticated attackers can exploit missing input validation to overwrite Git configuration files and execute arbitrary commands on the server. All Gogs instances running vulnerable versions are affected.

💻 Affected Systems

Products:
  • Gogs
Versions: All versions before 0.12.8
Operating Systems: All platforms running Gogs
Default Config Vulnerable: ⚠️ Yes
Notes: All Gogs installations with default configurations are vulnerable. The attack requires user registration capability to be enabled.

📦 What is this software?

Gogs by Gogs

View all CVEs affecting Gogs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing attackers to execute arbitrary commands with the privileges of the Gogs process, potentially leading to data theft, lateral movement, or complete system takeover.

🟠

Likely Case

Remote code execution leading to unauthorized access, data exfiltration, or deployment of malware/backdoors on the affected Gogs server.

🟢

If Mitigated

Limited impact with proper network segmentation and least privilege configurations, potentially containing the attack to the Gogs application environment.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires a registered user account. The vulnerability has been publicly disclosed with proof-of-concept details available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.12.8 and later

Vendor Advisory: https://github.com/gogs/gogs/security/advisories/GHSA-56j7-2pm8-rgmx

Restart Required: Yes

Instructions:

1. Backup your Gogs data and configuration. 2. Stop the Gogs service. 3. Update to Gogs version 0.12.8 or later. 4. Restart the Gogs service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable User Registration

all

Prevent new user registration to block the initial attack vector

Edit app.ini configuration file and set DISABLE_REGISTRATION = true

Restrict Repository Operations

all

Limit repository creation and editing permissions to trusted users only

Configure Gogs permissions to restrict repository operations to administrators

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Gogs from critical systems
  • Enable detailed logging and monitoring for suspicious repository configuration changes

🔍 How to Verify

Check if Vulnerable:

Check Gogs version by accessing the web interface or examining the installation directory. Versions below 0.12.8 are vulnerable.

Check Version:

Check the Gogs web interface dashboard or examine the VERSION file in the Gogs installation directory

Verify Fix Applied:

Verify the Gogs version is 0.12.8 or higher and test that repository configuration files cannot be overwritten via the GUI.

📡 Detection & Monitoring

Log Indicators:

  • Unusual repository configuration changes
  • Multiple failed attempts to create or rename files with special characters
  • Unexpected SSH command executions

Network Indicators:

  • Unusual outbound connections from Gogs server
  • SSH connections to unexpected destinations

SIEM Query:

source="gogs" AND (event="repository_config_change" OR file_name="\" OR file_name=".git/config")

📊 Metadata

CVE ID: CVE-2021-32546
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: June 2, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON