GoKawiilGogs has patched a critical security zero-day flaw that can allow attackers to compromise Internet-facing instances and access any repositories (including private ones).
This argument injection vulnerability has yet to be assigned a CVE ID, can only be exploited by authenticated attackers without admin privileges, and affects all Gogs releases up to and including 0.14.2 and 0.15.0+dev.
They can exploit this vulnerability to compromise the targeted server, read any repository (including private repos), steal credentials, move laterally to other systems on the network, and alter any hosted source code.
While threat actors would need at least basic user privileges to exploit the flaw, Rapid7 security researcher Jonah Burgess (who discovered and reported it) said it affects all Gogs servers with default configurations.
"Since Gogs ships with open registration enabled by default (DISABLE_REGISTRATION = false) and no limit on repository creation (MAX_CREATION_LIMIT = -1), an unauthenticated attacker can simply create an account and repository on any default-configured instance," Burgess warned two weeks ago.
"Any registered user who creates a repo is automatically its owner. From there, enabling rebase merging is a single toggle in settings, and the entire exploit chain can be operated without interaction from any other user."
Over the weekend, 10 days after the cybersecurity company publicly disclosed it following a lack of response to multiple status updates, the Gogs maintainers released version 0.14.3 on June 7 to patch this flaw and requested a CVE ID.
"Rapid7 recommends that all Gogs users upgrade immediately. The fix was implemented via pull request #8301," Burgess added.
Rapid7 also shared mitigation measures for users who cannot patch their Gogs instances immediately, which require them to:
Restrict user registration (DISABLE_REGISTRATION = true in app.ini) to prevent untrusted users from creating accounts. This is the most impactful mitigation since the exploit is self-contained within a single user's repository.
... continue reading