Gogs through 0.13.0 allows deletion of internal files.
The error classified as CWE-552 (Files or Directories Accessible to External Parties) consists of the fact that the Gogs application does not properly verify access permissions to internal files before performing their deletion operations. An authenticated user with low privileges can send an appropriately crafted network request that will cause files belonging to the internal application structure to be deleted. The vulnerability is accessible remotely, without requiring any interaction on the victim's side.
An attacker can permanently delete internal files of the Gogs server, which may lead to loss of repository data, service disruption, or creation of conditions for further attack escalation. The impact includes high risk to the confidentiality, integrity, and availability of the system.
Apply patches available from the vendor according to the references – the latest release is available at https://github.com/gogs/gogs/releases. All Gogs instances must be immediately updated to a version higher than 0.13.0.
Gogs version 0.13.0 and all earlier versions.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HGogs
APPGogs≤ 0.13.0
Related vulnerabilities
Gogs: nadpisywanie obiektów LFS między repozytoriami – atak na łańcuch dostaw
Gogs: ominięcie patcha CVE-2024-56731 umożliwia RCE przez .git
Gogs: RCE przez usuwanie plików w katalogu .git (bypass patcha CVE-2024-39931)
RCE w Gogs poprzez command injection w parametrze tree_path (Windows)
Argument injection w serwerze SSH Gogs prowadzący do RCE