Impact
Gogs, an open source self-hosted Git service, had a flaw in the Mirror Settings feature that allowed any authenticated user to import local repositories. The vulnerability arose from missing validation in the SaveAddress function, enabling users to specify paths to local repositories and add them as mirrors. This permits the user to gain access to and potentially expose code or metadata stored locally on the server. The weakness is an instance of Improper Input Validation (CWE‑20).
Affected Systems
All Gogs deployments using versions older than 0.14.3 are affected. Any instance of the gogs:gogs product running before this release without the patch has the vulnerability.
Risk and Exploitability
The CVSS score of 8.1 denotes a high severity. No EPSS score is available, so the likelihood of exploitation cannot be quantified, but the issue is not listed in the CISA KEV catalog. Because the flaw is accessed through the web interface and requires only authenticated user access, it is reasonably easy to exploit for any user with valid credentials. Therefore, the risk to confidentiality and integrity of local repositories is high, while the availability impact is moderate.
OpenCVE Enrichment
Github GHSA