CVE-2021-32546

描述

### Impact The malicious user is able to update a crafted `config` file into repository's `.git` directory with to gain SSH access to the server. All installations with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) are affected. ### Patches Repository file updates are prohibited to its `.git` directory. Users should upgrade to 0.12.8 or the latest 0.13.0+dev. ### Workarounds N/A ### References N/A ### For more information If you have any questions or comments about this advisory, please post on #6555.

受影響套件(2)

• Go/gogs.io/gogsfrom 0, < 0.12.8
• Go/gogs.io/gogsfrom 0, < 0.12.8

參考連結(8)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-32546
• PATCHhttps://github.com/gogs/gogs
• WEBhttps://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129
• WEBhttps://github.com/gogs/gogs/issues/6555
• WEBhttps://github.com/gogs/gogs/pull/6986
• WEBhttps://github.com/gogs/gogs/releases
• WEBhttps://github.com/gogs/gogs/releases/tag/v0.12.8
• WEBhttps://github.com/gogs/gogs/security/advisories/GHSA-56j7-2pm8-rgmx