No fix yet for critical RCE bug in open-source Git service Gogs - exploit module is out

No fix yet for critical RCE bug in open-source Git service Gogs - exploit module is out

Briefly

"A critical, remote code execution (RCE) bug in Gogs, a popular open-source self-hosted Git service, can be exploited by any authenticated user - no special privileges required - on a default installation to fully compromise vulnerable servers, steal credentials and multi-factor authentication secrets, or even modify code in hosted repositories in a wide-reaching supply-chain attack."

"A security researcher reported the 9.4-rated flaw to project maintainers in mid-March. It still doesn't have a patch. It does, however, have a public Metasploit module - so we'd expect reports of in-the-wild exploitation to start very soon."

"The vulnerability affects all supported platforms, including Windows, Linux, and macOS, and installation methods, according to Rapid7 researcher Jonah Burgess, who found and reported the bug to Gogs maintainers via GitHub (GHSA-qf6p-p7ww-cwr9) on March 17."

""We have not received any further communication from Gogs, and the GHSA has remained unanswered since March 28," Burgess told The Register. "Because there is currently no official patch, our team submitted a pull request with a suggested fix today [Friday], which is currently awaiting review. At this time, we have no evidence suggesting that this vulnerability is being exploited in the wild.""