The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.
History

Mon, 19 Aug 2024 08:30:00 +0000


Mon, 12 Aug 2024 20:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-88

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-07-04T00:00:00

Updated: 2024-08-28T15:22:31.592925

Reserved: 2024-07-04T00:00:00

Link: CVE-2024-39930

cve-icon Vulnrichment

Updated: 2024-08-19T07:47:42.608Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-07-04T16:15:02.277

Modified: 2024-11-21T09:28:35.910

Link: CVE-2024-39930

cve-icon Redhat

No data.