9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-2024

GHSA ID

GHSA-pfvh-p8qp-9ww9

EPSS Score

0.97388%

CWE

CWE-78

Published

2/28/2023

Updated

3/9/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-2024

CVE-2022-2024: Gogs OS Command Injection vulnerability

Impact

The malicious user is able to update a crafted config file into repository's .git directory in combination with crafted file deletion to gain SSH access to the server on case-insensitive file systems. All installations with repository upload enabled (default) on case-insensitive file systems (Windows, macOS, etc.) are affected.

Patches

Make sanitization of upload path to .git directory to be case-insensitive. Users should upgrade to 0.12.11 or the latest 0.13.0+dev.

Workarounds

Disable repository upload.

References

https://huntr.dev/bounties/18cf9256-23ab-4098-a769-85f8da130f97/

For more information

If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/7030.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-2024

GHSA ID

GHSA-pfvh-p8qp-9ww9

EPSS Score

0.97388%

CWE

CWE-78

Published

2/28/2023

Updated

3/9/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
gogs.io/gogs	go	< 0.12.11	0.12.11

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient case-insensitive validation in path checks for .git directory protection. The patch adds strings.ToLower(path) normalization, confirming the original function's case-sensitive implementation was the flaw. This function was responsible for preventing writes to .git directories, and its case-sensitive check failed to block alternate casing variants on case-insensitive filesystems.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** m*li*ious us*r is **l* to up**t* * *r**t** `*on*i*` *il* into r*pository's `.*it` *ir**tory in *om*in*tion wit* *r**t** *il* **l*tion to **in SS* ****ss to t** s*rv*r on **s*-ins*nsitiv* *il* syst*ms. *ll inst*ll*tions wit* [r*positor

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt **s*-ins*nsitiv* `v*li**tion` in p*t* ****ks *or `.*it` *ir**tory prot**tion. T** p*t** ***s `strin*s.ToLow*r(p*t*)` norm*liz*tion, *on*irmin* t** ori*in*l *un*tion's **s*-s*nsitiv* impl*m*nt*tion w*s t** *l*

9.8

Basic Information

Concerned about an active attack path?

CVE-2022-2024: Gogs OS Command Injection vulnerability

Impact

Patches

Workarounds

References

For more information

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI