CVE-2022-1884— Gogs 操作系统命令注入漏洞

Remote Command Execution in gogs/gogs

A remote command execution vulnerability exists in gogs/gogs versions <=0.12.7 when deployed on a Windows server. The vulnerability arises due to improper validation of the `tree_path` parameter during file uploads. An attacker can set `tree_path=.git.` to upload a file into the .git directory, allowing them to write or rewrite the `.git/config` file. If the `core.sshCommand` is set, this can lead to remote command execution.

N/A

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

Gogs 操作系统命令注入漏洞

Gogs（Go Git Service）是Gogs团队的一个基于Go语言的自助Git托管服务，它支持创建、迁移公开/私有仓库，添加、删除仓库协作者等。 Gogs 0.12.7及之前版本存在操作系统命令注入漏洞，该漏洞源于文件上传期间对tree_path参数的验证不当，可能导致远程命令执行。

N/A

N/A