Опубликовано: 04 июл. 2024
Источник: github
Github: Прошло ревью
CVSS4: 9.4
CVSS3: 9.9
Описание
Duplicate Advisory: github.com/gogs/gogs affected by CVE-2024-39930
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-vm62-9jw3-c8w3. This link is maintained to preserve external references.
Original Description
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.
Пакеты
Наименование
github.com/gogs/gogs
go
Затронутые версииВерсия исправления
<= 0.13.0
Отсутствует
9.4 Critical
CVSS4
9.9 Critical
CVSS3
Дефекты
CWE-88
9.4 Critical
CVSS4
9.9 Critical
CVSS3
Дефекты
CWE-88