The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.
Metrics
Affected Vendors & Products
References
History
Mon, 19 Aug 2024 08:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Mon, 12 Aug 2024 20:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-88 |
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2024-07-04T00:00:00
Updated: 2024-08-28T15:22:31.592925
Reserved: 2024-07-04T00:00:00
Link: CVE-2024-39930
Vulnrichment
Updated: 2024-08-19T07:47:42.608Z
NVD
Status : Awaiting Analysis
Published: 2024-07-04T16:15:02.277
Modified: 2024-11-21T09:28:35.910
Link: CVE-2024-39930
Redhat
No data.