This advisory has been withdrawn because it is a duplicate of GHSA-vm62-9jw3-c8w3. This link is maintained to preserve external references.
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.
{ "cwe_ids": [ "CWE-88" ], "severity": "CRITICAL", "nvd_published_at": "2024-07-04T16:15:02Z", "github_reviewed_at": "2024-07-10T14:30:51Z", "github_reviewed": true }