CVE-2018-20303 — Gogs Directory Traversal

Description

In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to CVE-2018-18925.

How to fix CVE-2018-20303

To remediate CVE-2018-20303, upgrade the affected package to a fixed version below.

Go/gogs.io/gogs—upgrade to 0.11.80-0.20181218063808-ff93d9dbda5c or later

Is CVE-2018-20303 being exploited?

Low — EPSS is 2.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.11.80-0.20181218063808-ff93d9dbda5c

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-20303
PATCHgithub.com/gogs/gogs
WEBgithub.com/gogs/gogs/commit/ff93d9dbda5cebe90d86e4b7dfb2c6b8642970ce
WEBgithub.com/gogs/gogs/issues/5558
WEB