GHSA-ccqv-43vm-4f3w

Source

https://github.com/advisories/GHSA-ccqv-43vm-4f3w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-ccqv-43vm-4f3w/GHSA-ccqv-43vm-4f3w.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-ccqv-43vm-4f3w

Aliases

Published

2024-12-23T20:38:20Z

Modified

2024-12-23T20:59:01.438852Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N CVSS Calculator

Summary

Gogs allows deletion of internal files

Details

Impact

Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. It allows attackers to access and alter any users' code hosted on the same instance.

Patches

Deletion of .git files has been prohibited (https://github.com/gogs/gogs/pull/7870). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.

Workarounds

No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.

References

https://www.cve.org/CVERecord?id=CVE-2024-39931

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-552"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-23T20:38:20Z"
}

References

Affected packages

Go / gogs.io/gogs

Package

Name: gogs.io/gogs; View open source insights on deps.dev
Purl: pkg:golang/gogs.io/gogs

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.13.1

Database specific

{
    "last_known_affected_version_range": "<= 0.13.0"
}