Gogs Cross-Repository LFS Object Overwrite Vulnerability Allowing Supply-Chain Attacks

A vulnerability in Gogs, prior to version 0.14.2, allows for overwriting Git Large File Storage (LFS) objects across different repositories. This issue arises because all LFS objects are stored in a single location without repository isolation, and uploaded files are not verified against their SHA-256 hashes. As a result, attackers can manipulate LFS files, potentially injecting malicious content. This vulnerability could be exploited to conduct supply-chain attacks, as there are no warnings when downloaded LFS objects have been tampered with.

Impact

Exploitation of this vulnerability allows for overwriting of LFS objects, with potential implications for supply-chain integrity, as modified files can be distributed without indication of alteration.

Reproduction

To reproduce this vulnerability, upload an LFS object to a repository using a Gogs version prior to 0.14.2. Then, upload a file with the same identifier to a different repository. The second upload will overwrite the original file, demonstrating the lack of cross-repository isolation and the absence of content verification, which could lead to the injection of malicious payloads.

Remediation

Users can update to Gogs version 0.14.2 or later, where this vulnerability has been patched.