Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/gogs/gogs: CVE-2024-39930 #2969

Closed
GoVulnBot opened this issue Jul 4, 2024 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/gogs/gogs: CVE-2024-39930 #2969

GoVulnBot opened this issue Jul 4, 2024 · 2 comments
Assignees
@tatianab
Labels
triaged

Comments

@GoVulnBot
Copy link

Advisory CVE-2024-39930 references a vulnerability in the following Go modules:

Module
github.com/gogs/gogs

Description:
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/gogs/gogs
      vulnerable_at: 0.13.0
summary: CVE-2024-39930 in github.com/gogs/gogs
cves:
    - CVE-2024-39930
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39930
    - web: https://github.com/gogs/gogs/releases
    - web: https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1/
source:
    id: CVE-2024-39930
    created: 2024-07-04T17:01:09.835174931Z
review_status: UNREVIEWED
@tatianab tatianab self-assigned this Jul 8, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/597158 mentions this issue: data/reports: add 7 unreviewed reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/601375 mentions this issue: data/reports: update 3 reports

gopherbot pushed a commit that referenced this issue Jul 29, 2024
@tatianab
data/reports: update 3 reports
fb09166 
Regenerate three UNREVIEWED reports that now have
a GHSA available.

  - data/reports/GO-2024-2965.yaml
  - data/reports/GO-2024-2969.yaml
  - data/reports/GO-2024-2974.yaml

Updates #2965
Updates #2969
Updates #2974

Change-Id: I5f5b9fc105520c831e598dc591d04b9e81347d3d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/601375
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
This was referenced Dec 23, 2024
Closed
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@tatianab tatianab

Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot