CVE-2024-39933
Published: 04 July 2024
Summary
CVE-2024-39933 is a high-severity Argument Injection (CWE-88) vulnerability in Gogs Gogs. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 49.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-3599
Vulnerability details
Gogs through 0.13.0 allows argument injection during the tagging of a new release.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Argument injection in release tagging enables arbitrary file reads on the Gogs server, facilitating collection of local system data including source code from repositories (T1005, T1213.003) and credentials in configuration files (T1552.001).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.