logo

Database

Local file inclusion In gogs.io/gogs

Description

Gogs allows deletion of internal files

Impact

Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. It allows attackers to access and alter any users' code hosted on the same instance.

Patches

Deletion of .git files has been prohibited (https://github.com/gogs/gogs/pull/7870). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.

Workarounds

No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.

References

https://www.cve.org/CVERecord?id=CVE-2024-39931

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-399312. NVD-2024-399313. OSV-2024-399314. GHSA-ccqv-43vm-4f3w5. GHSA-2vgj-3pvg-xh4w6. GCVE-2024-39931

References

1. https://github.com/gogs/gogs/security/advisories/GHSA-ccqv-43vm-4f3w2. https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-13. https://github.com/gogs/gogs4. https://github.com/gogs/gogs/releases

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.