GHSA-9pp6-wq8c-3w2c

Suggest an improvement
Source
https://github.com/advisories/GHSA-9pp6-wq8c-3w2c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-9pp6-wq8c-3w2c/GHSA-9pp6-wq8c-3w2c.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-9pp6-wq8c-3w2c
Aliases
Published
2024-12-23T20:38:27Z
Modified
2024-12-23T20:58:59.806457Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N CVSS Calculator
Summary
Gogs allows argument injection during the previewing of changes
Details

Impact

Unprivileged user accounts can write to arbitrary files on the filesystem. We could demonstrate its exploitation to force a re-installation of the instance, granting administrator rights. It allows accessing and altering any user's code hosted on the same instance.

Patches

Unintended Git options has been ignored for diff preview (https://github.com/gogs/gogs/pull/7871). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.

Workarounds

No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.

References

https://www.cve.org/CVERecord?id=CVE-2024-39932

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-23T20:38:27Z"
}
References

Affected packages

Go / gogs.io/gogs

Package

Name
gogs.io/gogs
View open source insights on deps.dev
Purl
pkg:golang/gogs.io/gogs

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.13.1

Database specific 

{
    "last_known_affected_version_range": "<= 0.13.0"
}