I subscribe to updates from the forums and wasn’t alerted to this critical issue.

Manasseh Zhou reported a critical session bypass issue in the go-marcaron framework which impacts Gogs 0.11.86 @ 2019-01-30 and Gitea < 1.5.4.
Because of missing access checks; an attacker can log into any account and run arbitrary commands on an effected server.

This was reported as CVE-2018-18926 and CVE-2018-18925
Manasseh provides a detailed breakdown of the issue on his site.

Gogs and Gitea users should update immediately to the latest release.

On a side note; I’m concerned about the timeline here. This issue was first reported to the Gogs project in late 2018 and opened as a github issue in Aug. of 2019 which finally got the attention of unknwon and was resolved two days later. Gitea fixed this issue in Oct. of 2018.
I will be looking into other tools to internally host our git repositories.


Verified by MonsterInsights