Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version 0.13.3.
The vulnerability results from incomplete security measures introduced as part of the patch for CVE-2024-39931 — the protection mechanism does not effectively block file deletion operations within the .git directory of a repository. An unprivileged user account can manipulate the contents of the .git directory, leading to the execution of arbitrary commands on the Gogs instance. Commands are executed with the permissions of the system account specified by the RUN_USER parameter in the service configuration.
An attacker can execute arbitrary system commands on the Gogs server and gain access to source code and modify repositories of all users hosted on the same instance.
Gogs should be updated to version 0.13.3, where the vulnerability has been patched. The patch is available in the project's GitHub repository (tag v0.13.3).
Gogs in versions prior to 0.13.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HGogs
APPGogs< 0.13.3
Related vulnerabilities
Gogs: nadpisywanie obiektów LFS między repozytoriami – atak na łańcuch dostaw
Gogs: ominięcie patcha CVE-2024-56731 umożliwia RCE przez .git
RCE w Gogs poprzez command injection w parametrze tree_path (Windows)
Argument injection w serwerze SSH Gogs prowadzący do RCE
Gogs – nieautoryzowane usuwanie plików wewnętrznych (CWE-552)