Closed
Description
Advisory CVE-2024-39930 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/gogs/gogs |
Description:
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.
References:
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-39930
- WEB: https://github.com/gogs/gogs/releases
- WEB: https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1/
Cross references:
- Module github.com/gogs/gogs appears in issue x/vulndb: potential Go vuln in github.com/gogs/gogs: CVE-2021-32546 #471 NOT_IMPORTABLE
- Module github.com/gogs/gogs appears in issue x/vulndb: potential Go vuln in github.com/gogs/gogs: CVE-2022-31038 #483 NOT_IMPORTABLE
See doc/triage.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/gogs/gogs
vulnerable_at: 0.13.0
summary: CVE-2024-39930 in github.com/gogs/gogs
cves:
- CVE-2024-39930
references:
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39930
- web: https://github.com/gogs/gogs/releases
- web: https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1/
source:
id: CVE-2024-39930
created: 2024-07-04T17:01:09.835174931Z
review_status: UNREVIEWED