GHSA-vm62-9jw3-c8w3

Suggest an improvement
Source
https://github.com/advisories/GHSA-vm62-9jw3-c8w3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-vm62-9jw3-c8w3/GHSA-vm62-9jw3-c8w3.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-vm62-9jw3-c8w3
Aliases
Published
2024-12-23T20:38:34Z
Modified
2024-12-23T20:58:57.513038Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N CVSS Calculator
Summary
Gogs has an argument Injection in the built-in SSH server
Details

Impact

When the built-in SSH server is enabled ([server] START_SSH_SERVER = true), unprivileged user accounts with at least one SSH key can execute arbitrary commands on the Gogs instance with the privileges of the user specified by RUN_USER in the configuration. It allows attackers to access and alter any users' code hosted on the same instance.

Patches

The env command sent to the internal SSH server has been changed to be a passthrough (https://github.com/gogs/gogs/pull/7868), i.e. the feature is effectively removed. Users should upgrade to 0.13.1 or the latest 0.14.0+dev.

Workarounds

Disable the use of built-in SSH server on operating systems other than Windows.

References

https://www.cve.org/CVERecord?id=CVE-2024-39930

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-88"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-23T20:38:34Z"
}
References

Affected packages

Go / gogs.io/gogs

Package

Name
gogs.io/gogs
View open source insights on deps.dev
Purl
pkg:golang/gogs.io/gogs

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.13.1

Database specific 

{
    "last_known_affected_version_range": "<= 0.13.0"
}