Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS05cHA2LXdxOGMtM3cyY84ABCrc

Gogs allows argument injection during the previewing of changes

Impact

Unprivileged user accounts can write to arbitrary files on the filesystem. We could demonstrate its exploitation to force a re-installation of the instance, granting administrator rights. It allows accessing and altering any user's code hosted on the same instance.

Patches

Unintended Git options has been ignored for diff preview (https://github.com/gogs/gogs/pull/7871). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.

Workarounds

No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.

References

https://www.cve.org/CVERecord?id=CVE-2024-39932

Permalink: https://github.com/advisories/GHSA-9pp6-wq8c-3w2c
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05cHA2LXdxOGMtM3cyY84ABCrc
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 16 days ago
Updated: 16 days ago

CVSS Score: 10.0
CVSS vector: CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N

EPSS Percentage: 0.00043
EPSS Percentile: 0.10511

Identifiers: GHSA-9pp6-wq8c-3w2c, CVE-2024-39932
References:

• https://github.com/gogs/gogs/security/advisories/GHSA-9pp6-wq8c-3w2c
• https://nvd.nist.gov/vuln/detail/CVE-2024-39932
• https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1
• https://github.com/advisories/GHSA-9pp6-wq8c-3w2c

Repository: https://github.com/gogs/gogs
Blast Radius: 0.0

Affected Packages