CVE-2022-1884
📋 TL;DR
A remote command execution vulnerability in Gogs (Git service) allows attackers to upload malicious files to the .git directory when deployed on Windows servers. By manipulating the tree_path parameter during file uploads, attackers can overwrite .git/config and execute arbitrary commands if core.sshCommand is configured. This affects Gogs versions 0.12.7 and earlier running on Windows.
💻 Affected Systems
- gogs/gogs
📦 What is this software?
Gogs by Gogs
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining remote command execution as the Gogs service account, potentially leading to data theft, lateral movement, or ransomware deployment.
Likely Case
Remote code execution leading to web shell installation, credential harvesting, or deployment of additional malware on the affected server.
If Mitigated
Limited impact if proper network segmentation, least privilege, and monitoring are in place, potentially only affecting the Gogs application.
🎯 Exploit Status
Exploitation requires file upload capability and knowledge of the vulnerability. The public bounty disclosure includes technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.12.8
Vendor Advisory: https://github.com/gogs/gogs/security/advisories/GHSA-5jq8-2j3q-g2r8
Restart Required: Yes
Instructions:
1. Backup your Gogs data and configuration. 2. Stop the Gogs service. 3. Download and install Gogs version 0.12.8 or later from the official repository. 4. Restart the Gogs service. 5. Verify the installation and test functionality.
🔧 Temporary Workarounds
Restrict File Upload Paths
allImplement web application firewall rules or application-level validation to reject file uploads containing .git in the path parameter.
Disable core.sshCommand
allRemove or restrict the core.sshCommand configuration in .git/config files to prevent command execution.
git config --global --unset core.sshCommand
🧯 If You Can't Patch
- Migrate Gogs deployment from Windows to Linux if possible, as Linux deployments are not vulnerable to this specific issue.
- Implement strict network segmentation and firewall rules to limit access to Gogs instances, allowing only trusted IP addresses.
🔍 How to Verify
Check if Vulnerable:
Check Gogs version via web interface admin panel or by examining the binary/installation directory. Versions <=0.12.7 on Windows are vulnerable.Check Version:
On Windows: Check Gogs binary properties or web interface. On command line: gogs --version or check version in web UI.Verify Fix Applied:
Verify Gogs version is 0.12.8 or higher and test file upload functionality with malicious tree_path parameters to ensure they are rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload attempts with tree_path containing .git patterns
- Multiple failed upload attempts with path manipulation
- Changes to .git/config files
Network Indicators:
- HTTP POST requests to upload endpoints with suspicious tree_path parameters
- Unusual outbound connections from Gogs server following uploads
SIEM Query:
source="gogs" AND (http_method="POST" AND uri_path="/upload" AND http_query="*tree_path=*.git*" OR message="*tree_path=*.git*")