Gogs Remote Command Execution Vulnerability via .git Directory Manipulation

A remote command execution vulnerability exists in Gogs versions prior to 0.13.3. This issue arises from an inadequate patch for a previous vulnerability, allowing unprivileged users to delete files in the .git directory. Exploitation of this flaw enables the execution of arbitrary commands on the Gogs instance, using the privileges of the account specified by RUN_USER in the configuration. As a result, attackers could access and modify any user's code hosted on the same instance.

Impact

Exploitation allows unprivileged users to execute arbitrary commands on the Gogs instance, with the same privileges as the RUN_USER account, potentially leading to unauthorized access and modification of user code.

Reproduction

To reproduce this vulnerability, first create a symbolic link in a repository that points to the .git directory. Then, use an unprivileged account to delete files through the symbolic link. This action will remove the targeted files from the .git directory, bypassing the application's safeguards and enabling remote command execution.

Remediation

Users can upgrade to Gogs version 0.13.3 or later, where this vulnerability has been patched.