GHSA-m27m-h5gj-wwmg

Suggest an improvement
Source
https://github.com/advisories/GHSA-m27m-h5gj-wwmg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-m27m-h5gj-wwmg/GHSA-m27m-h5gj-wwmg.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-m27m-h5gj-wwmg
Aliases
Published
2024-12-23T20:38:12Z
Modified
2024-12-23T20:59:02.615857Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:L/S:C/UI:N CVSS Calculator
Summary
Gogs allows argument Injection when tagging new releases
Details

Impact

Unprivileged user accounts with at least one SSH key can read arbitrary files on the system. For instance, they could leak the configuration files that could contain database credentials ([database] *) and [security] SECRET_KEY. Attackers could also exfiltrate TLS certificates, other users' repositories, and the Gogs database when the SQLite driver is enabled.

Patches

Unintended Git options has been ignored for creating tags (https://github.com/gogs/gogs/pull/7872). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.

Workarounds

No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.

References

https://www.cve.org/CVERecord?id=CVE-2024-39933

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-88"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-23T20:38:12Z"
}
References

Affected packages

Go / gogs.io/gogs

Package

Name
gogs.io/gogs
View open source insights on deps.dev
Purl
pkg:golang/gogs.io/gogs

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.13.1

Database specific 

{
    "last_known_affected_version_range": "<= 0.13.0"
}