A critical vulnerability in Gogs enables remote code execution under specific conditions. An authenticated user can create a pull request using a malicious branch name that injects the --exec flag into git rebase during the “Rebase before merging” operation. Git rebase rewrites history by replaying commits from one branch onto another base branch, and it can accept a shell command via --exec that runs after each commit is replayed. The flaw does not require admin privileges or interaction with other users. An attacker can create an account and repository on a default-configured instance, since any registered user who creates a repository becomes its owner and can enable rebase merging with a settings toggle. If repository creation is restricted, write access to a repository with rebase enabled is sufficient.
"The vulnerability allows any authenticated user to achieve remote code execution (RCE) on the server by creating a pull request with a malicious branch name that injects the --exec flag into git rebase during the 'Rebase before merging' merge operation,"
""Any registered user who creates a repo is automatically its owner," Burgess said. "From there, enabling rebase merging is a single toggle in settings, and the entire exploit chain can be operated without interaction from any other user.""
"In an alternative scenario, a user with write access to a repository where rebase is already enabled can exploit the flaw directly to obtain code execution. On Gogs instances where repository creation is restricted, an attacker is required to have write access to any repository that has rebase merging enabled."
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]