Critical Vulnerabilities in Gogs Open-Source Git Service

Published on 09 Jul 2024

Security researchers have disclosed multiple vulnerabilities (CVE-2024-39930,CVE-2024-39931, CVE-2024-39932) affecting Gogs open-source Git service. The vulnerabilities have a Common Vulnerability Scoring System (CVSSv3) score of 9.9 out of 10. 

The vulnerabilities are:
• CVE-2024-39930: Successful exploitation of this vulnerability could allow an authenticated attacker to inject arguments in the built-in Secure Socket Shell (SSH) server, leading to remote code execution.
• CVE-2024-39931: Successful exploitation of this vulnerability could allow an authenticated attacker to delete internal files.
• CVE-2024-39932: Successful exploitation of this vulnerability could allow an authenticated attacker to inject arguments during the previewing of changes.

The critical vulnerabilities affects Gogs versions 0.13.0 and earlier.

Users and administrators of affected product versions are advised to disable the built-in SSH server and user registration.

Users and administrators are also advised to monitor for software updates and apply the patches immediately when available.

More information is available here: