CVE-2022-0415 Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6

CVE-2022-0415 Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6

Remote Command Execution via uploaded zip package was possible by importing custom buildpack.
The Zip import feature was removed in version 0.12.6. Now you can import zip file only via SSH. This was a precautionary measure to prevent remote code injection attacks.

Summary of changes in version 0.12.6

Vendor/Product: Cloud Foundry
CVE ID: CVE-2022-0415
Date of Public Advisory: 2018-06-28
Notified Date: 2018-06-29
Fix Version: 0.12.6

What to do about this vulnerability

If you are using a custom buildpack, please remove it and update to the latest version. If you are running a vulnerable version of Elasticsearch, upgrade to 0.12.6 or later.

Installing Buildpack

The Zip import feature was removed in version 0.12.6. Now you can import zip file only via SSH. This was a precautionary measure to prevent remote code injection attacks.

Vulnerable code (buildpack-less version)

# import custom buildpack package
import zipfile, os.path
zip = open('file.zip','r')
with zip:
os.rename('./bin/httpd','./bin/httpd-backup')
with zip:
os.system("ls -al")
with zip:
os.system("touch /tmp/.sock")
zip.close()

Buildpack updates

In response to CVE-2022-0415, the Remote Command Execution vulnerability, there were a few updates to both our default and third party buildpacks.
The default buildpack now uses hardenings from os.urandom to prevent a zip file from being able to call system().
Third party buildpacks were updated as well with changes in their build process that ensured no executable or shell commands could be executed without proper authentication.
We also enabled the “Custom Buildpack” feature which allows you to use your own custom buildpacks for your project. We had been using this feature for some time and only recently removed it (in 0.12.6) since we added the Zip import feature instead and needed it for other features like Docker containers and Amazon EC2 instances.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe