Описание
Gogs has an argument Injection in the built-in SSH server
Impact
When the built-in SSH server is enabled ([server] START_SSH_SERVER = true), unprivileged user accounts with at least one SSH key can execute arbitrary commands on the Gogs instance with the privileges of the user specified by RUN_USER in the configuration. It allows attackers to access and alter any users' code hosted on the same instance.
Patches
The env command sent to the internal SSH server has been changed to be a passthrough (https://github.com/gogs/gogs/pull/7868), i.e. the feature is effectively removed. Users should upgrade to 0.13.1 or the latest 0.14.0+dev.
Workarounds
Disable the use of built-in SSH server on operating systems other than Windows.
References
Пакеты
gogs.io/gogs
<= 0.13.0
0.13.1
Связанные уязвимости
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.
Уязвимость программного средства создания самоуправляемых Git-репозиториев Gogs, связанная с внедрением или модификацией аргументов, позволяющая нарушителю выполнять произвольные команды