Vulnerabilities > CVE-2024-39930 - Unspecified vulnerability in Gogs

CVSS 9.9 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

gogs

critical

NVD

Published: 2024-07-04

Updated: 2025-04-11

Summary

The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.

Vulnerable Configurations

Part	Description	Count
Application	Gogs Gogs Gogs - Gogs Gogs 0.2.0 Gogs Gogs 0.3.0 Gogs Gogs 0.3.1 Gogs Gogs 0.4.0 Gogs Gogs 0.4.1 Gogs Gogs 0.4.2 Gogs Gogs 0.5.0 Gogs Gogs 0.5.2 Gogs Gogs 0.5.5 Gogs Gogs 0.5.8 Gogs Gogs 0.5.9 Gogs Gogs 0.5.11 Gogs Gogs 0.5.13 Gogs Gogs 0.6.0 Gogs Gogs 0.6.1 Gogs Gogs 0.6.3 Gogs Gogs 0.6.5 Gogs Gogs 0.6.9 Gogs Gogs 0.6.15 Gogs Gogs 0.7.0 Gogs Gogs 0.7.6 Gogs Gogs 0.7.19 Gogs Gogs 0.7.22 Gogs Gogs 0.7.33 Gogs Gogs 0.8.0 Gogs Gogs 0.8.10 Gogs Gogs 0.8.25 Gogs Gogs 0.8.43 Gogs Gogs 0.9.0 Gogs Gogs 0.9.13 Gogs Gogs 0.9.46 Gogs Gogs 0.9.48 Gogs Gogs 0.9.60 Gogs Gogs 0.9.71 Gogs Gogs 0.9.97 Gogs Gogs 0.9.113 Gogs Gogs 0.9.128 Gogs Gogs 0.9.141 Gogs Gogs 0.10 Gogs Gogs 0.10.1 Gogs Gogs 0.10.8 Gogs Gogs 0.10.18 Gogs Gogs 0.11 Gogs Gogs 0.11.4 Gogs Gogs 0.11.19 Gogs Gogs 0.11.29 Gogs Gogs 0.11.33 Gogs Gogs 0.11.34 Gogs Gogs 0.11.43 Gogs Gogs 0.11.53 Gogs Gogs 0.11.66 Gogs Gogs 0.11.79 Gogs Gogs 0.11.82.1218 Gogs Gogs 0.11.86 Gogs Gogs 0.11.91 Gogs Gogs 0.12 Gogs Gogs 0.12.2 Gogs Gogs 0.12.3 Gogs Gogs 0.12.4 Gogs Gogs 0.12.5 Gogs Gogs 0.12.6 Gogs Gogs 0.12.7 Gogs Gogs 0.12.8 Gogs Gogs 0.12.9 Gogs Gogs 0.12.10 Gogs Gogs 0.12.11 Gogs Gogs 0.12.13 Gogs Gogs 0.13.0	76

Summary

Vulnerable Configurations

References