Unprivileged user accounts can write to arbitrary files on the filesystem. We could demonstrate its exploitation to force a re-installation of the instance, granting administrator rights. It allows accessing and altering any user's code hosted on the same instance.
Unintended Git options has been ignored for diff preview (https://github.com/gogs/gogs/pull/7871). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.
No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.
https://www.cve.org/CVERecord?id=CVE-2024-39932
| Score | Percentile |
|---|---|
| 2.82% | 85.65% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 10.0 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-9pp6-wq8c-3w2c ↗ |
| CVE | CVE-2024-39932 ↗ |
| CWE id | Name |
|---|---|
| CWE-94 | Improper Control of Generation of Code ('Code Injection') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | gogs.io/gogs | <= 0.13.0 | 0.13.1 | — |