Login Sign Up

CVE-2022-1993

8.1 HIGH
Path Traversal

📋 TL;DR

CVE-2022-1993 is a path traversal vulnerability in Gogs (Go Git Service) that allows attackers to read arbitrary files on the server by manipulating file paths. This affects all Gogs installations prior to version 0.12.9. The vulnerability can be exploited by authenticated users with repository access.

💻 Affected Systems

Products:
  • Gogs (Go Git Service)
Versions: All versions prior to 0.12.9
Operating Systems: All platforms running Gogs
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user access to exploit. Affects both self-hosted and cloud deployments.

📦 What is this software?

Gogs by Gogs

View all CVEs affecting Gogs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive system files including configuration files, SSH keys, database credentials, and source code, potentially leading to complete system compromise.

🟠

Likely Case

Unauthorized access to repository files, configuration data, and potentially sensitive user information stored in accessible directories.

🟢

If Mitigated

Limited to reading files within the Gogs installation directory if proper file permissions and access controls are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires authenticated access. Proof of concept available in public repositories and bounty reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.12.9 and later

Vendor Advisory: https://github.com/gogs/gogs/commit/9bf748b6c4c9a17d3aa77f6b9abcfae65451febf

Restart Required: Yes

Instructions:

1. Backup your Gogs data and configuration. 2. Stop the Gogs service. 3. Update to Gogs version 0.12.9 or later. 4. Restart the Gogs service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Restrict File Permissions

linux

Set strict file permissions to limit what files Gogs can access

chmod 750 /path/to/gogs/data
chown -R gogs:gogs /path/to/gogs

Network Segmentation

all

Restrict network access to Gogs instance

🧯 If You Can't Patch

  • Implement strict file system permissions and access controls
  • Use network segmentation and firewall rules to restrict access to Gogs

🔍 How to Verify

Check if Vulnerable:

Check Gogs version. If version is below 0.12.9, the system is vulnerable.

Check Version:

Check Gogs web interface admin panel or run: ./gogs --version

Verify Fix Applied:

Verify Gogs version is 0.12.9 or higher and test path traversal attempts are blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns
  • Multiple failed path traversal attempts
  • Access to files outside repository directories

Network Indicators:

  • Unusual HTTP requests with path traversal patterns (../ sequences)
  • Requests to non-repository file paths

SIEM Query:

source="gogs" AND (http_uri="*../*" OR http_uri="*/../*")

📊 Metadata

CVE ID: CVE-2022-1993
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-22
Published: June 9, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1993, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)