Gogs SSH Server Vulnerability Allows Remote Code Execution
CVE-2024-39930

9.9CRITICAL

Key Information:

Vendor

Gogs

Status
Gogs
Vendor
CVE Published:
4 July 2024

Badges

📰 News Worthy

What is CVE-2024-39930?

The built-in SSH server within Gogs, up to version 0.13.0, is susceptible to an argument injection vulnerability that can lead to remote code execution. An attacker with authenticated access can exploit this vulnerability by establishing an SSH connection and sending a malicious '--split-string' environment variable request, provided that the built-in SSH server feature is active. It is important to note that Windows installations of Gogs are not affected by this vulnerability, which highlights the need for vigilance in monitoring SSH configurations and ensuring that updates are applied promptly.

News Articles

favicon imageSecurityLab.ru

Год бездействия: почему Gogs игнорирует критические 0day-уязвимости в своём продукте

Атаки способны затронуть тысячи разработчиков по всему миру.

favicon image데일리시큐

Gogs Git 서비스의 심각한 보안 취약점 발견돼

소나소스(SonarSource) 연구원은 Gogs의 오픈 소스, 자체 호스팅 Git 서비스에서 네 가지 주요 보안 취약점을 발견했다고 발표했다. 이 취약점들은 인증된 공격자가 Gogs 인스턴스를 침해하고, 소스 코드를 훔치거나 삭제하며, 백도어를 심는 것을 가능하게 할 수 있다.주요 취약점 상세 정보는 다음과 같다. 1. CVE-2024-39930 (CVSS 점수: 9.9): 이 취약점은 내장된 SSH 서버에서 인수 주입(argument injection)을 허용한다. 성공적인 공격을 위해서는 SSH 서버가 활성화되어 있어야 하며,

References

https://github.com/gogs/gogs/releases
https://www.sonarsource.com/blog/securing-developer-tools...

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • 📰

    First article discovered by 데일리시큐

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2024-39930 : Gogs SSH Server Vulnerability Allows Remote Code Execution