Fluid Attacks Database

Description

Gogs allows argument injection during the previewing of changes

Impact

Unprivileged user accounts can write to arbitrary files on the filesystem. We could demonstrate its exploitation to force a re-installation of the instance, granting administrator rights. It allows accessing and altering any user's code hosted on the same instance.

Patches

Unintended Git options has been ignored for diff preview (https://github.com/gogs/gogs/pull/7871). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.

Workarounds

No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.

References

https://www.cve.org/CVERecord?id=CVE-2024-39932

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	gogs.io/gogs	>=0 <0.13.1	0.13.1
go	github.com/gogs/gogs	>=0 <=0.13.0	0.13.1-rc.1

Aliases

1. CVE-2024-399322. NVD-2024-399323. OSV-2024-399324. GHSA-9pp6-wq8c-3w2c5. GHSA-hf29-9hfh-w63j6. GCVE-2024-39932

References

1. https://github.com/gogs/gogs/security/advisories/GHSA-9pp6-wq8c-3w2c2. https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.