x/vulndb: potential Go vuln in github.com/gogs/gogs: CVE-2021-32546 #471
Labels
excluded: NOT_IMPORTABLE
This vulnerability only exists in a binary and is not importable.
Comments
|
Vulnerability in tool. |
neild
added
excluded: NOT_IMPORTABLE
|
Change https://go.dev/cl/592768 mentions this issue: |
This was referenced Jul 4, 2024
|
Change https://go.dev/cl/607219 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 21, 2024
- data/reports/GO-2022-0457.yaml - data/reports/GO-2022-0458.yaml - data/reports/GO-2022-0459.yaml - data/reports/GO-2022-0471.yaml - data/reports/GO-2022-0473.yaml - data/reports/GO-2022-0480.yaml - data/reports/GO-2022-0482.yaml - data/reports/GO-2022-0483.yaml - data/reports/GO-2022-0490.yaml - data/reports/GO-2022-0491.yaml - data/reports/GO-2022-0494.yaml - data/reports/GO-2022-0495.yaml - data/reports/GO-2022-0496.yaml - data/reports/GO-2022-0497.yaml - data/reports/GO-2022-0498.yaml - data/reports/GO-2022-0499.yaml - data/reports/GO-2022-0500.yaml - data/reports/GO-2022-0501.yaml - data/reports/GO-2022-0502.yaml - data/reports/GO-2022-0505.yaml Updates #457 Updates #458 Updates #459 Updates #471 Updates #473 Updates #480 Updates #482 Updates #483 Updates #490 Updates #491 Updates #494 Updates #495 Updates #496 Updates #497 Updates #498 Updates #499 Updates #500 Updates #501 Updates #502 Updates #505 Change-Id: I92c5f4afd83bb1c6bd9f448bc65ca730c64ce770 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607219 Auto-Submit: Tatiana Bradley <[email protected]> Reviewed-by: Damien Neil <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2021-32546 references github.com/gogs/gogs, which may be a Go module.
Description:
Missing input validation in internal/db/repo_editor.go in Gogs before 0.12.8 allows an attacker to execute code remotely. An unprivileged attacker (registered user) can overwrite the Git configuration in his repository. This leads to Remote Command Execution, because that configuration can contain an option such as sshCommand, which is executed when a master branch is a remote branch (using an ssh:// URI). The remote branch can also be configured by editing the Git configuration file. One can create a new file in a new repository, using the GUI, with "" as its name, and then rename this file to .git/config with the custom configuration content (and then save it).
Links:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: