プラットフォーム
go
コンポーネント
gogs.io/gogs
修正版
0.12.9
0.12.9
CVE-2022-1992 is a critical Path Traversal vulnerability discovered in Gogs, a self-hosted Git service. This flaw allows attackers to read arbitrary files on the server, potentially exposing sensitive data like configuration files or source code. The vulnerability impacts versions of Gogs prior to 0.12.9, and a patch is available to address the issue.
The impact of this vulnerability is significant. An attacker exploiting CVE-2022-1992 can leverage the file editor functionality to traverse directories and access files outside of the intended scope. This could lead to the exposure of sensitive information, including database credentials, API keys, and private repositories. Successful exploitation could also facilitate further attacks, such as code execution if configuration files contain sensitive scripts or commands. The blast radius extends to any data stored on the server accessible by the Gogs process.
CVE-2022-1992 was published on August 21, 2024. While no active exploitation campaigns have been publicly reported, the critical severity and ease of exploitation make it a potential target. There are currently no known public proof-of-concept exploits. The vulnerability is not currently listed on CISA KEV.
Organizations running self-hosted Gogs instances, particularly those with sensitive code or data stored in Git repositories, are at risk. Environments with weak access controls or legacy configurations are especially vulnerable. Shared hosting environments where multiple users share a Gogs instance also face increased risk.
• linux / server: Monitor Gogs logs for unusual file access attempts. Use auditd to track file access events and look for patterns indicative of path traversal.
auditctl -w /path/to/gogs/files -p wa -k gogs_traversal• windows / supply-chain: Monitor PowerShell execution logs for commands attempting to access files outside the Gogs installation directory. Check Autoruns for any suspicious entries related to Gogs.
• generic web: Attempt to access files outside the expected directory through the file editor interface. Examine web server access logs for requests containing directory traversal sequences (e.g., ../).
disclosure
エクスプロイト状況
EPSS
1.69% (82% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2022-1992 is to upgrade Gogs to version 0.12.9 or later. If an immediate upgrade is not feasible, consider restricting access to the file editor functionality through firewall rules or access control lists. Monitor file system activity for suspicious access patterns. There are no specific WAF rules or detection signatures readily available, so focus on prompt patching and access control. After upgrading, confirm the fix by attempting to access files outside the intended directory via the file editor; access should be denied.
Gogsをバージョン0.12.9以降にアップデートしてください。このバージョンにはPath Traversalの脆弱性に対する修正が含まれています。新しいバージョンをダウンロードし、Gogsが提供するアップデート手順に従ってアップデートを実行できます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2022-1992 is a critical vulnerability in Gogs allowing attackers to read arbitrary files on the server through the file editor. It affects versions before 0.12.9.
You are affected if you are running Gogs version 0.12.9 or earlier. Check your Gogs version and upgrade immediately if necessary.
Upgrade Gogs to version 0.12.9 or later to patch the vulnerability. If upgrading is not immediately possible, restrict access to the file editor.
No active exploitation campaigns have been publicly reported, but the vulnerability's severity makes it a potential target.
Refer to the Gogs release notes and security advisories on the official Gogs website: https://gogs.io/.
go.mod ファイルをアップロードすると、影響の有無を即座にお知らせします。