CVE-2022-1884 — CRITICAL (9.8)

Q: How severe is CVE-2022-1884?

CVE-2022-1884 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2022-1884?

Check the references section above for vendor advisories and patch information. Affected products include: Gogs Gogs, Microsoft Windows.

Vulnerability Description

A remote command execution vulnerability exists in gogs/gogs versions <=0.12.7 when deployed on a Windows server. The vulnerability arises due to improper validation of the `tree_path` parameter during file uploads. An attacker can set `tree_path=.git.` to upload a file into the .git directory, allowing them to write or rewrite the `.git/config` file. If the `core.sshCommand` is set, this can lead to remote command execution.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Gogs	Gogs	<= 0.12.7
Microsoft	Windows	-

Related Weaknesses (CWE)

CWE-78 CWE-77

References

https://huntr.com/bounties/9cd4e7b7-0979-4e5e-9a1c-388b58dea76bExploitThird Party Advisory

FAQ

What is CVE-2022-1884?

CVE-2022-1884 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A remote command execution vulnerability exists in gogs/gogs versions <=0.12.7 when deployed on a Windows server. The vulnerability arises due to improper validation of the `tree_path` parameter durin...

How severe is CVE-2022-1884?

CVE-2022-1884 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2022-1884?

Check the references section above for vendor advisories and patch information. Affected products include: Gogs Gogs, Microsoft Windows.