Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12bTYyLTlqdzMtYzh3M84ABCrd
Gogs has an argument Injection in the built-in SSH server
Impact
When the built-in SSH server is enabled ([server] START_SSH_SERVER = true
), unprivileged user accounts with at least one SSH key can execute arbitrary commands on the Gogs instance with the privileges of the user specified by RUN_USER
in the configuration. It allows attackers to access and alter any users' code hosted on the same instance.
Patches
The env
command sent to the internal SSH server has been changed to be a passthrough (https://github.com/gogs/gogs/pull/7868), i.e. the feature is effectively removed. Users should upgrade to 0.13.1 or the latest 0.14.0+dev.
Workarounds
Disable the use of built-in SSH server on operating systems other than Windows.
References
https://www.cve.org/CVERecord?id=CVE-2024-39930
Permalink: https://github.com/advisories/GHSA-vm62-9jw3-c8w3JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12bTYyLTlqdzMtYzh3M84ABCrd
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 1 month ago
Updated: about 1 month ago
CVSS Score: 10.0
CVSS vector: CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N
EPSS Percentage: 0.00045
EPSS Percentile: 0.17541
Identifiers: GHSA-vm62-9jw3-c8w3, CVE-2024-39930
References:
- https://github.com/gogs/gogs/security/advisories/GHSA-vm62-9jw3-c8w3
- https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1
- https://www.vicarius.io/vsociety/posts/argument-injection-in-gogs-ssh-server-cve-2024-39930
- https://github.com/advisories/GHSA-vm62-9jw3-c8w3
Blast Radius: 0.0
Affected Packages
go:gogs.io/gogs
Dependent packages: 2Dependent repositories: 1
Downloads:
Affected Version Ranges: <= 0.13.0
Fixed in: 0.13.1
All affected versions: 0.2.0, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.2, 0.5.5, 0.5.8, 0.5.9, 0.5.11, 0.5.13, 0.6.0, 0.6.1, 0.6.3, 0.6.5, 0.6.9, 0.6.15, 0.7.0, 0.7.6, 0.7.19, 0.7.22, 0.7.33, 0.8.0, 0.8.10, 0.8.25, 0.8.43, 0.9.0, 0.9.13, 0.9.46, 0.9.48, 0.9.60, 0.9.71, 0.9.97, 0.9.113, 0.9.128, 0.9.141, 0.10.1, 0.10.8, 0.10.18, 0.11.4, 0.11.19, 0.11.29, 0.11.33, 0.11.34, 0.11.43, 0.11.53, 0.11.66, 0.11.79, 0.11.86, 0.11.91, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.12.5, 0.12.6, 0.12.7, 0.12.8, 0.12.9, 0.12.10, 0.12.11, 0.13.0
All unaffected versions: