Critical vulnerabilities in Gogs open-source Git service
Learn More
Four unpatched security vulnerabilities have been disclosed in the Gogs open-source, self-hosted Git service. The flaws, identified by SonarSource researchers Thomas Chauchefoin and Paul Gerste, could allow an authenticated attacker to breach the service, manipulate source code, and plant backdoors.
Detailed Vulnerabilities
- CVE-2024-39930 (CVSS score: 9.9): Argument injection in the built-in SSH server.
- CVE-2024-39931 (CVSS score: 9.9): Deletion of internal files.
- CVE-2024-39932 (CVSS score: 9.9): Argument injection during changes preview.
- CVE-2024-39933 (CVSS score: 7.7): Argument injection when tagging new releases.
Exploiting the vulnerabilities could enable attackers to:
- Execute arbitrary commands on the Gogs server
- Read, modify or delete source code
- Target internal hosts accessible from the Gogs server
- Impersonate users and gain additional privileges
All four vulnerabilities necessitate that the attacker be authenticated. While this looks like a significant deterrent, if user registration is enabled on the Gogs instance, attackers can create an account and register their SSH key. For CVE-2024-39930, the built-in SSH server must be enabled, and the attacker must have a valid SSH private key.
Deployments on Debian and Ubuntu are vulnerable due to the env binary supporting the "--split-string" option. Deployments on Windows and Docker images are not vulnerable.
According to SonarSource, approximately 7,300 Gogs instances are publicly accessible over the internet, with nearly 60% located in China, followed by the U.S., Germany, Russia, and Hong Kong.
Project maintainers have not implemented fixes and ceased communication after the initial report on April 28, 2023. In the absence of official patches, users are advised to:
- Disable the built-in SSH server
- Turn off user registration to prevent mass exploitation
- Consider switching to Gitea, a similar Git service
- Consider applying a patch released by SonarSource, though it hasn't been extensively tested
