Vulnerability Description
In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to CVE-2018-18925.
CVSS Score
7.5
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gogs | Gogs | < 0.11.82.1218 |
Related Weaknesses (CWE)
References
- https://github.com/gogs/gogs/commit/ff93d9dbda5cebe90d86e4b7dfb2c6b8642970cePatchThird Party Advisory
- https://github.com/gogs/gogs/issues/5558Issue TrackingPatchThird Party Advisory
- https://pentesterlab.com/exercises/cve-2018-18925/ExploitThird Party Advisory
- https://github.com/gogs/gogs/commit/ff93d9dbda5cebe90d86e4b7dfb2c6b8642970cePatchThird Party Advisory
- https://github.com/gogs/gogs/issues/5558Issue TrackingPatchThird Party Advisory
- https://pentesterlab.com/exercises/cve-2018-18925/ExploitThird Party Advisory
FAQ
What is CVE-2018-20303?
CVE-2018-20303 is a vulnerability with a CVSS score of 7.5 (HIGH). In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to CVE...
How severe is CVE-2018-20303?
CVE-2018-20303 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-20303?
Check the references section above for vendor advisories and patch information. Affected products include: Gogs Gogs.