Improper Authorization in gogs/gogs


Reported on

Mar 6th 2022


When Gogs is build and configured for PAM authentification it skips checking authorization completely. Therefore expired accounts and accounts with expired passwords can still login.

Proof of Concept

You can expire an account with chage -E0 <username> and still login.


Since disabling an account in PAM still allows to login via ssh-keys, it's common to set accounts to expire if you want to deny access. So accounts whom have been privilege revoked are still able to login.


Here's a patch since I don't want to make this public in a repository.

--- a/internal/auth/pam/pam.go
+++ b/internal/auth/pam/pam.go
@@ -26,5 +26,9 @@ func (c *Config) doAuth(login, password string) error {
                return err

-       return t.Authenticate(0)
+    if err = t.Authenticate(0); err != nil {
+           return err
+    }
+       return t.AcctMgmt(0)
We are processing your report and will contact the gogs team within 24 hours. a year ago
a year ago


@admin The gogs team is still working on the other issue they're frozen for. What is the freeze/unfreeze process? Can't find it in the FAQs and sure would like bounty if possible.

ysf modified the report
a year ago
a year ago


A similar bug has been reported to Gitea, we should coordinate publishing them after both repositories have been fixed.

a year ago


Gogs have been contacted according to their here:

Joe Chen validated this vulnerability a year ago
ysf has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome
a year ago


@ysf - the prize pot is frozen whilst the entire pot is being consumed by another pending report. Once the report has been reviewed that consumes the entire prize pot, 30 days will elapse before the prize pot refills again.

Created this issue here to help address this better! Feel free to leave your thoughts on the issue too.

ysf submitted a
a year ago
We have sent a fix follow up to the gogs team. We will try again in 7 days. a year ago
Joe Chen marked this as fixed in 0.12.5 with commit 64102b a year ago
ysf has been awarded the fix bounty
This vulnerability will not receive a CVE
pam.go#L29 has been validated
to join this conversation