CVE-2024-39930
Published: 04 July 2024
Summary
CVE-2024-39930 is a critical-severity Argument Injection (CWE-88) vulnerability in Gogs Gogs. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability CVE-2024-39930 is an argument injection issue in the built-in SSH server of Gogs through version 0.13.0, located in internal/ssh/ssh.go. It enables remote code execution on affected systems when the built-in SSH server is activated, though Windows installations remain unaffected. The flaw carries a CVSS score of 9.9 and is categorized under CWE-88.
Authenticated attackers can exploit the weakness by opening an SSH connection to a vulnerable Gogs instance and supplying a malicious --split-string environment request, resulting in arbitrary code execution with high impact on confidentiality, integrity, and availability.
References including the Gogs GitHub releases and detailed analyses from SonarSource and Vicarius recommend upgrading to a patched release beyond 0.13.0 as the primary mitigation, with the project advisories directing administrators to apply available updates promptly.
The associated EPSS score has remained flat at 0.1188 with no material rise observed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-3615
Vulnerability details
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server…
more
is activated. Windows installations are unaffected.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables authenticated remote code execution via argument injection in the Gogs built-in SSH server on Unix-like systems, directly facilitating Unix Shell command execution (T1059.004) and exploitation of a remote service (T1210).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.