CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-39930

CVSS 9.9v3.1pub. 2024-07-04upd. 2025-04-11

The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.

🤖 AI Analysis
How it works

The vulnerability (CWE-88) exists in the internal/ssh/ssh.go file of the built-in SSH server. An authenticated attacker establishes an SSH connection with the Gogs server and sends a specially crafted request containing a malicious --split-string parameter within an environment variable. Improper argument handling allows injection of additional commands, which are then executed on the server side. The vulnerability only affects installations with an active built-in SSH server; Windows system installations are not at risk.

Impact

Successful exploitation of the vulnerability allows an attacker to execute arbitrary code remotely (RCE) in the server context, which may result in complete system takeover, theft of repository data, and violation of confidentiality, integrity, and availability of the entire Gogs instance.

Mitigation & patch

Patches available from the vendor should be applied in accordance with the references (Gogs project releases page: https://github.com/gogs/gogs/releases). As a workaround, if an update is not immediately possible, disable the built-in SSH server in the Gogs configuration.

Who is affected

Gogs versions up to and including 0.13.0, only on non-Windows installations with an active built-in SSH server

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Gogs

    APP
    Gogs
    ≤ 0.13.0
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-25921CRITICAL9.3PL ✓ten sam produkt

Gogs: nadpisywanie obiektów LFS między repozytoriami – atak na łańcuch dostaw

CVE-2025-64111CRITICAL9.3PL ✓ten sam produkt

Gogs: ominięcie patcha CVE-2024-56731 umożliwia RCE przez .git

CVE-2024-56731CRITICAL10.0PL ✓ten sam produkt

Gogs: RCE przez usuwanie plików w katalogu .git (bypass patcha CVE-2024-39931)

CVE-2022-1884CRITICAL9.8PL ✓ten sam produkt

RCE w Gogs poprzez command injection w parametrze tree_path (Windows)

CVE-2024-39931CRITICAL9.9PL ✓ten sam produkt

Gogs – nieautoryzowane usuwanie plików wewnętrznych (CWE-552)