Attacker Value
Very High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
High
Attack Vector
Network
1

CVE-2020-15867

Disclosure Date: October 16, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. There can be a privilege escalation if access to this hook feature is granted to a user who does not have administrative privileges. NOTE: because this is mentioned in the documentation but not in the UI, it could be considered a “Product UI does not Warn User of Unsafe Actions” issue.

Add Assessment

3
Ratings
Technical Analysis

This vulnerability is similar to the Gitea vulnerability identified as CVE-2020-14144 (Gitea is a fork of Gogs). Please refer to this assessment for details. At the time of writing, no mitigation has been implemented in Gogs. So, it is highly recommended to set the DISABLE_GIT_HOOKS configuration setting to true to completely disable this feature and prevent all users (including admin) from creating custom Git hooks. It is a serious security risk.

CVSS V3 Severity and Metrics
Base Score:
7.2 High
Impact Score:
5.9
Exploitability Score:
1.2
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
High
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • gogs

Products

  • gogs

Additional Info

Technical Analysis