Security News > 2024 > July > Critical Unpatched Flaws Disclosed in Popular Gogs Open-Source Git Service

Four unpatched security flaws, including three critical ones, have been disclosed in the Gogs open-source, self-hosted Git service that could enable an authenticated attacker to breach susceptible instances, steal or wipe source code, and even plant backdoors.

Successful exploitation of the first three shortcomings could permit an attacker to execute arbitrary commands on the Gogs server, while the fourth flaw allows attackers to read arbitrary files such as source code, and configuration secrets.

In other words, by abusing the issues, a threat actor could read source code on the instance, modify any code, delete all code, target internal hosts reachable from the Gogs server, and impersonate other users and gain more privileges.

"If the Gogs instance has registration enabled, the attacker can simply create an account and register their SSH key," the researchers said.

Gogs instances running on Windows are not exploitable, as is the Docker image.

The disclosure comes as cloud security firm Aqua discovered that sensitive information such as access tokens and passwords once hard-coded could remain permanently exposed even after removal from Git-based source code management systems.

News URL

https://thehackernews.com/2024/07/critical-vulnerabilities-disclosed-in.html