logo

Database

Insecure functionality In gogs.io/gogs

Description

Gogs has an argument Injection in the built-in SSH server

Impact

When the built-in SSH server is enabled ([server] START_SSH_SERVER = true), unprivileged user accounts with at least one SSH key can execute arbitrary commands on the Gogs instance with the privileges of the user specified by RUN_USER in the configuration. It allows attackers to access and alter any users' code hosted on the same instance.

Patches

The env command sent to the internal SSH server has been changed to be a passthrough (https://github.com/gogs/gogs/pull/7868), i.e. the feature is effectively removed. Users should upgrade to 0.13.1 or the latest 0.14.0+dev.

Workarounds

Disable the use of built-in SSH server on operating systems other than Windows.

References

https://www.cve.org/CVERecord?id=CVE-2024-39930

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-399302. NVD-2024-399303. OSV-2024-399304. GHSA-vm62-9jw3-c8w35. GHSA-p69r-v3h4-rj4f6. GCVE-2024-39930

References

1. https://github.com/gogs/gogs/security/advisories/GHSA-vm62-9jw3-c8w32. https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-13. https://www.vicarius.io/vsociety/posts/argument-injection-in-gogs-ssh-server-cve-2024-399304. https://github.com/theMcSam/CVE-2024-39930-PoC5. https://github.com/gogs/gogs6. https://github.com/gogs/gogs/releases

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.