x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-67mx-jc2f-jgjm

[julieqiu]

In GitHub Security Advisory GHSA-67mx-jc2f-jgjm, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
gogs.io/gogs	0.12.9	< 0.12.9

See doc/triage.md for instructions on how to triage this report.

packages:
  - package: gogs.io/gogs
    versions:
      - fixed: 0.12.9
description: |
    ### Impact

    The malicious user is able to update a crafted `config` file into repository's `.git` directory in combination with crafted file deletion to gain SSH access to the server. All installations with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) are affected.

    ### Patches

    File deletions are prohibited to repository's `.git` directory. Users should upgrade to 0.12.9 or the latest 0.13.0+dev.

    ### Workarounds

    N/A

    ### References

    https://huntr.dev/bounties/776e8f29-ff5e-4501-bb9f-0bd335007930/

    ### For more information

    If you have any questions or comments about this advisory, please post on #7000.
published: 2022-06-08T22:34:21Z
last_modified: 2022-06-17T19:21:47Z
cves:
  - CVE-2022-1986
ghsas:
  - GHSA-67mx-jc2f-jgjm
links:
    context:
      - https://github.com/advisories/GHSA-67mx-jc2f-jgjm

[tatianab]

Code is not importable

[gopherbot]

Change https://go.dev/cl/592769 mentions this issue: data/reports: unexclude 50 reports

[gopherbot]

Change https://go.dev/cl/607220 mentions this issue: data/reports: unexclude 20 reports (18)