Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1tMjdtLWg1Z2otd3dtZ84ABCra

Gogs allows argument Injection when tagging new releases

Impact

Unprivileged user accounts with at least one SSH key can read arbitrary files on the system. For instance, they could leak the configuration files that could contain database credentials ([database] *) and [security] SECRET_KEY. Attackers could also exfiltrate TLS certificates, other users' repositories, and the Gogs database when the SQLite driver is enabled.

Patches

Unintended Git options has been ignored for creating tags (https://github.com/gogs/gogs/pull/7872). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.

Workarounds

No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.

References

https://www.cve.org/CVERecord?id=CVE-2024-39933

Permalink: https://github.com/advisories/GHSA-m27m-h5gj-wwmg
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tMjdtLWg1Z2otd3dtZ84ABCra
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 16 days ago
Updated: 16 days ago

CVSS Score: 7.7
CVSS vector: CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:L/S:C/UI:N

EPSS Percentage: 0.00043
EPSS Percentile: 0.10511

Identifiers: GHSA-m27m-h5gj-wwmg, CVE-2024-39933
References:

• https://github.com/gogs/gogs/security/advisories/GHSA-m27m-h5gj-wwmg
• https://nvd.nist.gov/vuln/detail/CVE-2024-39933
• https://github.com/gogs/gogs/pull/7872
• https://github.com/gogs/gogs/commit/76831d0d06c44c5cf46dc22b380440b7507c2f07
• https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1
• https://github.com/advisories/GHSA-m27m-h5gj-wwmg

Repository: https://github.com/gogs/gogs
Blast Radius: 0.0

Affected Packages