Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Critical Vulnerabilities in Gogs Open-Source Git Service
Alerts

Critical Vulnerabilities in Gogs Open-Source Git Service

9 July 2024

Security researchers have disclosed multiple vulnerabilities (CVE-2024-39930,CVE-2024-39931, CVE-2024-39932) affecting Gogs open-source Git service. The vulnerabilities have a Common Vulnerability Scoring System (CVSSv3) score of 9.9 out of 10. 

The vulnerabilities are:

• CVE-2024-39930: Successful exploitation of this vulnerability could allow an authenticated attacker to inject arguments in the built-in Secure Socket Shell (SSH) server, leading to remote code execution.

• CVE-2024-39931: Successful exploitation of this vulnerability could allow an authenticated attacker to delete internal files.

• CVE-2024-39932: Successful exploitation of this vulnerability could allow an authenticated attacker to inject arguments during the previewing of changes.

The critical vulnerabilities affects Gogs versions 0.13.0 and earlier.

Users and administrators of affected product versions are advised to disable the built-in SSH server and user registration.

Users and administrators are also advised to monitor for software updates and apply the patches immediately when available.

More information is available here:

https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1/

https://nvd.nist.gov/vuln/detail/CVE-2024-39930

https://nvd.nist.gov/vuln/detail/CVE-2024-39931

https://nvd.nist.gov/vuln/detail/CVE-2024-39932

Back to top