Cyber Resilience

CVE-2024-39933

HighPublic PoC

Published: 04 July 2024

Published
04 July 2024
Modified
10 April 2025
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0026 50.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-39933 is a high-severity Argument Injection (CWE-88) vulnerability in Gogs Gogs. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 49.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Gogs through 0.13.0 allows argument injection during the tagging of a new release.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1213.003 Code Repositories Collection
Adversaries may leverage code repositories to collect valuable information.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Argument injection in release tagging enables arbitrary file reads on the Gogs server, facilitating collection of local system data including source code from repositories (T1005, T1213.003) and credentials in configuration files (T1552.001).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0010: AI Supply Chain CompromiseAML.T0016: Obtain CapabilitiesAML.T0024: Exfiltration via AI Inference API

Affected Assets

gogs
gogs
≤ 0.13.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References