Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Critical Vulnerabilities in Gogs Open-Source Git Service
Alerts

Critical Vulnerabilities in Gogs Open-Source Git Service

9 July 2024

Security researchers have disclosed multiple vulnerabilities (CVE-2024-39930,CVE-2024-39931, CVE-2024-39932) affecting Gogs open-source Git service. The vulnerabilities have a Common Vulnerability Scoring System (CVSSv3) score of 9.9 out of 10. 

The vulnerabilities are:

• CVE-2024-39930: Successful exploitation of this vulnerability could allow an authenticated attacker to inject arguments in the built-in Secure Socket Shell (SSH) server, leading to remote code execution.

• CVE-2024-39931: Successful exploitation of this vulnerability could allow an authenticated attacker to delete internal files.

• CVE-2024-39932: Successful exploitation of this vulnerability could allow an authenticated attacker to inject arguments during the previewing of changes.

The critical vulnerabilities affects Gogs versions 0.13.0 and earlier.

Users and administrators of affected product versions are advised to disable the built-in SSH server and user registration.

Users and administrators are also advised to monitor for software updates and apply the patches immediately when available.

More information is available here:

https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1/

https://nvd.nist.gov/vuln/detail/CVE-2024-39930

https://nvd.nist.gov/vuln/detail/CVE-2024-39931

https://nvd.nist.gov/vuln/detail/CVE-2024-39932

Back to top