The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.
The vulnerability (CWE-88) exists in the internal/ssh/ssh.go file of the built-in SSH server. An authenticated attacker establishes an SSH connection with the Gogs server and sends a specially crafted request containing a malicious --split-string parameter within an environment variable. Improper argument handling allows injection of additional commands, which are then executed on the server side. The vulnerability only affects installations with an active built-in SSH server; Windows system installations are not at risk.
Successful exploitation of the vulnerability allows an attacker to execute arbitrary code remotely (RCE) in the server context, which may result in complete system takeover, theft of repository data, and violation of confidentiality, integrity, and availability of the entire Gogs instance.
Patches available from the vendor should be applied in accordance with the references (Gogs project releases page: https://github.com/gogs/gogs/releases). As a workaround, if an update is not immediately possible, disable the built-in SSH server in the Gogs configuration.
Gogs versions up to and including 0.13.0, only on non-Windows installations with an active built-in SSH server
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HGogs
APPGogs≤ 0.13.0
Related vulnerabilities
Gogs: nadpisywanie obiektów LFS między repozytoriami – atak na łańcuch dostaw
Gogs: ominięcie patcha CVE-2024-56731 umożliwia RCE przez .git
Gogs: RCE przez usuwanie plików w katalogu .git (bypass patcha CVE-2024-39931)
RCE w Gogs poprzez command injection w parametrze tree_path (Windows)
Gogs – nieautoryzowane usuwanie plików wewnętrznych (CWE-552)