An unpatched zero-day argument injection flaw in Gogs can let authenticated attackers with basic privileges achieve remote code execution on Internet-facing servers using the default configuration. Rapid7 says the issue affects Gogs 0.14.2 and 0.15.0+dev, and could expose private repositories, credentials, and other connected systems. #Gogs #Rapid7 #JonahBurges
Keypoints
- The flaw enables remote code execution on exposed Gogs instances.
- It affects Gogs 0.14.2 and 0.15.0+dev.
- Exploitation requires an authenticated non-admin user.
- Default open registration makes attack setup easy.
- Attackers could steal repos, credentials, and pivot further.