Shulou(Shulou.com)06/01 Report--

In this issue, Xiaobian will bring you about Gogs/Gitea remote command execution vulnerabilities. The article is rich in content and analyzed and described from a professional perspective. After reading this article, I hope you can gain something.

0x00 Vulnerability Background

On November 5, Xuanwu Lab researchers discovered a remote command execution vulnerability in Gogs and Gitea and issued a security report (vulnerability number: CVE-2018-18925/6).

Gogs (aka Go Git Service) is a Go language based self-service Git hosting service developed by the Gogs team, which supports creating, migrating public/private repositories, adding and removing repository collaborators, etc. Gitea is a branch of Gogs, which is also affected.

0x01 Vulnerability Description

In the case of default installations, vulnerabilities in user session management in Gogs and Gitea allow attackers to elevate registered ordinary users to administrator account privileges and execute arbitrary commands via git hooks.

0x02 Vulnerability Impact Area Impact Version

Gogs 0.11.66 and earlier

Gitea 1.5.3 and earlier

0x03 Repair plan

Gogs can be downloaded from Github to compile the develop branch where this vulnerability has been fixed.

Gitea is available in version 1.5.4

The above is what the Gogs/Gitea remote command execution vulnerability shared by Xiaobian is. If there is a similar doubt, please refer to the above analysis for understanding. If you want to know more about it, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.