CVE-2024-56731

Gogs deletion of internal files allows remote command execution

CVSS 10 CRITICALEPSS 1.0%CWE-552

In short

Gogs allows unprivileged users to delete critical internal Git files and run arbitrary commands on the server. An attacker can take control of the Gogs instance and access or modify any code stored there.

Technical detail

CWE-552 (Files or Directories Accessible to External Parties) allows unauthenticated or low-privilege users to delete files in the .git directory through an incomplete patch, enabling arbitrary command execution with RUN_USER privileges. The vulnerability affects Gogs versions prior to 0.13.3 and can be exploited to compromise all repositories on the instance.

Summary generated and translated by AI from the official description.

Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version 0.13.3.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products

gogs · gogs

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/gogs/gogs/commit/77a4a945ae9a87f77e392e9066b560edb71b5de9 https://github.com/gogs/gogs/releases/tag/v0.13.3 https://github.com/gogs/gogs/security/advisories/GHSA-wj44-9vcg-wjq7