CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-39931

CVSS 9.9v3.1pub. 2024-07-04upd. 2025-04-10

Gogs through 0.13.0 allows deletion of internal files.

🤖 AI Analysis
How it works

The error classified as CWE-552 (Files or Directories Accessible to External Parties) consists of the fact that the Gogs application does not properly verify access permissions to internal files before performing their deletion operations. An authenticated user with low privileges can send an appropriately crafted network request that will cause files belonging to the internal application structure to be deleted. The vulnerability is accessible remotely, without requiring any interaction on the victim's side.

Impact

An attacker can permanently delete internal files of the Gogs server, which may lead to loss of repository data, service disruption, or creation of conditions for further attack escalation. The impact includes high risk to the confidentiality, integrity, and availability of the system.

Mitigation & patch

Apply patches available from the vendor according to the references – the latest release is available at https://github.com/gogs/gogs/releases. All Gogs instances must be immediately updated to a version higher than 0.13.0.

Who is affected

Gogs version 0.13.0 and all earlier versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Gogs

    APP
    Gogs
    ≤ 0.13.0
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-25921CRITICAL9.3PL ✓ten sam produkt

Gogs: nadpisywanie obiektów LFS między repozytoriami – atak na łańcuch dostaw

CVE-2025-64111CRITICAL9.3PL ✓ten sam produkt

Gogs: ominięcie patcha CVE-2024-56731 umożliwia RCE przez .git

CVE-2024-56731CRITICAL10.0PL ✓ten sam produkt

Gogs: RCE przez usuwanie plików w katalogu .git (bypass patcha CVE-2024-39931)

CVE-2022-1884CRITICAL9.8PL ✓ten sam produkt

RCE w Gogs poprzez command injection w parametrze tree_path (Windows)

CVE-2024-39930CRITICAL9.9PL ✓ten sam produkt

Argument injection w serwerze SSH Gogs prowadzący do RCE