GHSA-ccqv-43vm-4f3w

Suggest an improvement
Source
https://github.com/advisories/GHSA-ccqv-43vm-4f3w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-ccqv-43vm-4f3w/GHSA-ccqv-43vm-4f3w.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-ccqv-43vm-4f3w
Aliases
Published
2024-12-23T20:38:20Z
Modified
2024-12-23T20:56:58.642991Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N CVSS Calculator
Summary
Gogs allows deletion of internal files
Details

Impact

Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. It allows attackers to access and alter any users' code hosted on the same instance.

Patches

Deletion of .git files has been prohibited (https://github.com/gogs/gogs/pull/7870). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.

Workarounds

No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.

References

https://www.cve.org/CVERecord?id=CVE-2024-39931

Database specific 
{
    "nvd_published_at": null,
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-552"
    ],
    "github_reviewed_at": "2024-12-23T20:38:20Z"
}
References

Affected packages

Go / gogs.io/gogs

Package

Name
gogs.io/gogs
View open source insights on deps.dev
Purl
pkg:golang/gogs.io/gogs

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.13.1

Database specific

last_known_affected_version_range

"<= 0.13.0"