Cyber Resilience

CVE-2024-39930

CriticalPublic PoC

Published: 04 July 2024

Published
04 July 2024
Modified
11 April 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.1188 93.9th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-39930 is a critical-severity Argument Injection (CWE-88) vulnerability in Gogs Gogs. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability CVE-2024-39930 is an argument injection issue in the built-in SSH server of Gogs through version 0.13.0, located in internal/ssh/ssh.go. It enables remote code execution on affected systems when the built-in SSH server is activated, though Windows installations remain unaffected. The flaw carries a CVSS score of 9.9 and is categorized under CWE-88.

Authenticated attackers can exploit the weakness by opening an SSH connection to a vulnerable Gogs instance and supplying a malicious --split-string environment request, resulting in arbitrary code execution with high impact on confidentiality, integrity, and availability.

References including the Gogs GitHub releases and detailed analyses from SonarSource and Vicarius recommend upgrading to a patched release beyond 0.13.0 as the primary mitigation, with the project advisories directing administrators to apply available updates promptly.

The associated EPSS score has remained flat at 0.1188 with no material rise observed.

EU & UK References

Vulnerability details

The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server…

more

is activated. Windows installations are unaffected.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The vulnerability enables authenticated remote code execution via argument injection in the Gogs built-in SSH server on Unix-like systems, directly facilitating Unix Shell command execution (T1059.004) and exploitation of a remote service (T1210).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0010: AI Supply Chain CompromiseAML.T0024: Exfiltration via AI Inference APIAML.T0048: External Harms

Affected Assets

gogs
gogs
≤ 0.13.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References