CVE-2021-32546: Input Validation
First published: Tue May 31 2022(Updated: )
Missing input validation in internal/db/repo_editor.go in Gogs before 0.12.8 allows an attacker to execute code remotely. An unprivileged attacker (registered user) can overwrite the Git configuration in his repository. This leads to Remote Command Execution, because that configuration can contain an option such as sshCommand, which is executed when a master branch is a remote branch (using an ssh:// URI). The remote branch can also be configured by editing the Git configuration file. One can create a new file in a new repository, using the GUI, with "\" as its name, and then rename this file to .git/config with the custom configuration content (and then save it).
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Gogs Gogs | <0.12.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID is CVE-2021-32546.
What is the severity of CVE-2021-32546?
The severity of CVE-2021-32546 is high with a severity value of 8.8.
How can an attacker exploit CVE-2021-32546?
An attacker can exploit CVE-2021-32546 by executing code remotely and overwriting the Git configuration in the repository.
What software versions are affected by CVE-2021-32546?
Gogs before version 0.12.8 is affected by CVE-2021-32546.
Is there a fix available for CVE-2021-32546?
Yes, the fix for CVE-2021-32546 is available in Gogs version 0.12.8.
- collector/nvd-index
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/type
- agent/description
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/gogs
- canonical/gogs gogs