Attacker Impact
CVE-2018-20303 is a Gogs path traversal advisory in file-upload path handling [S1][S2]. If an affected Gogs runtime is deployed and the advisory conditions are reachable, attackers may be able to cross intended file path boundaries during upload handling. The practical impact depends on how the Gogs service is deployed, what the Gogs process can access, and whether the affected runtime is reachable [S2][S3].
Root Cause
The issue is tracked as CWE-22 path traversal and affects Gogs releases before 0.11.82.1218 according to the GitHub Advisory Database and NVD records [S1][S2]. Some Go module manifests may reference the patched commit as v0.11.80-0.20181218063808-ff93d9dbda5c; FixVibe treats that patched pseudo-version as fixed when it appears in repository evidence.
Concrete Fixes
- Upgrade Gogs: Update the deployed Gogs runtime to
0.11.82.1218or newer, or to a build that includes commitff93d9dbda5c[S2][S3]. - Rebuild the deployed artifact: Regenerate Go module or Dep lock metadata, rebuild the Gogs binary or container image, and verify production is no longer running an affected version.
- Keep file handling constrained: Continue resolving upload paths against intended storage roots and keep the Gogs management surface restricted to trusted users and networks.
Covered by FixVibe
FixVibe's GitHub repo scan can now flag go.mod and Gopkg.lock evidence for gogs.io/gogs or github.com/gogs/gogs versions affected by CVE-2018-20303 / GHSA-9hxg-w7qf-hh93 [S2][S3]. The finding is reported as a version-based advisory: FixVibe verifies repository dependency evidence and source quality, but it does not run Gogs, send path traversal payloads, exercise file-upload paths, or prove the affected runtime is deployed in production.