Vulnerability Details
A critical security flaw has been discovered in the Gogs code collaboration platform that could allow attackers to compromise internet facing servers and access any repositories, including private ones. The vulnerability is an argument injection flaw that affects all Gogs releases up to and including version 0.14.2 and the 0.15.0 development branch. Exploitation requires authenticated access, but researchers note that many default installations allow open registration, enabling potential attackers to simply create an account and then exploit the vulnerability.
The flaw was discovered and reported by Rapid7 security researcher Jonah Burgess, who demonstrated that any registered user who creates a repository is automatically its owner. From there, enabling a specific merge option through a single toggle in settings completes the exploit chain without any interaction from other users. This vulnerability stands out because it affects a different code path than previously patched issues, leaving it unaddressed until now.
Impact and Mitigation
Attackers who successfully exploit this vulnerability can compromise the targeted server, read any repository including private ones, steal credentials, move laterally to other network systems, and alter any hosted source code. Internet security tracking services currently monitor thousands of exposed Gogs servers, with the majority located in Asia and Europe. The Gogs maintainers released version 0.14.3 to patch this flaw after initial reports received no response.
For users unable to patch immediately, Rapid7 recommends restricting user registration to prevent untrusted accounts from being created, as this is the most impactful mitigation. Additionally, restricting repository creation can block the easiest attack path. The flaw is similar to other argument injection vulnerabilities that have been patched in recent years, but targets a previously unaddressed code path. This incident follows a related remote code execution vulnerability in Gogs that was previously exploited in zero day attacks to compromise hundreds of servers.
Source: BleepingComputer
