Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS12bTYyLTlqdzMtYzh3M84ABCrd

Gogs has an argument Injection in the built-in SSH server

Impact

When the built-in SSH server is enabled ([server] START_SSH_SERVER = true), unprivileged user accounts with at least one SSH key can execute arbitrary commands on the Gogs instance with the privileges of the user specified by RUN_USER in the configuration. It allows attackers to access and alter any users' code hosted on the same instance.

Patches

The env command sent to the internal SSH server has been changed to be a passthrough (https://github.com/gogs/gogs/pull/7868), i.e. the feature is effectively removed. Users should upgrade to 0.13.1 or the latest 0.14.0+dev.

Workarounds

Disable the use of built-in SSH server on operating systems other than Windows.

References

https://www.cve.org/CVERecord?id=CVE-2024-39930

Permalink: https://github.com/advisories/GHSA-vm62-9jw3-c8w3
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12bTYyLTlqdzMtYzh3M84ABCrd
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 1 month ago
Updated: about 1 month ago


CVSS Score: 10.0
CVSS vector: CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N

EPSS Percentage: 0.00045
EPSS Percentile: 0.17541

Identifiers: GHSA-vm62-9jw3-c8w3, CVE-2024-39930
References: Repository: https://github.com/gogs/gogs
Blast Radius: 0.0

Affected Packages

go:gogs.io/gogs
Dependent packages: 2
Dependent repositories: 1
Downloads:
Affected Version Ranges: <= 0.13.0
Fixed in: 0.13.1
All affected versions: 0.2.0, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.2, 0.5.5, 0.5.8, 0.5.9, 0.5.11, 0.5.13, 0.6.0, 0.6.1, 0.6.3, 0.6.5, 0.6.9, 0.6.15, 0.7.0, 0.7.6, 0.7.19, 0.7.22, 0.7.33, 0.8.0, 0.8.10, 0.8.25, 0.8.43, 0.9.0, 0.9.13, 0.9.46, 0.9.48, 0.9.60, 0.9.71, 0.9.97, 0.9.113, 0.9.128, 0.9.141, 0.10.1, 0.10.8, 0.10.18, 0.11.4, 0.11.19, 0.11.29, 0.11.33, 0.11.34, 0.11.43, 0.11.53, 0.11.66, 0.11.79, 0.11.86, 0.11.91, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.12.5, 0.12.6, 0.12.7, 0.12.8, 0.12.9, 0.12.10, 0.12.11, 0.13.0
All unaffected versions: