The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution.…
mitre·CWE-88·Published 2024-07-04
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.
github.com/gogs/gogs affected by CVE-2024-39930
### Impact When the built-in SSH server is enabled (`[server] START_SSH_SERVER = true`), unprivileged user accounts with at least one SSH key can execute arbitrary commands on the Gogs instance with the privileges of the user specified by `RUN_USER` in the configuration. It allows attackers to access and alter any users' code hosted on the same instance. ### Patches The `env` command sent to the internal SSH server has been changed to be a passthrough (https://github.com/gogs/gogs/pull/7868), i.e. the feature is effectively removed. Users should upgrade to 0.13.1 or the latest 0.14.0+dev. ### Workarounds [Disable the use of built-in SSH server](https://github.com/gogs/gogs/blob/7adac94f1e93cc5c3545ea31688662dcef9cd737/conf/app.ini#L76-L77) on operating systems other than Windows. ### References https://www.cve.org/CVERecord?id=CVE-2024-39930
El servidor SSH integrado de Gogs hasta la versión 0.13.0 permite la inyección de argumentos en internal/ssh/ssh.go, lo que lleva a la ejecución remota de código. Los atacantes autenticados pueden aprovechar esto abriendo una conexión SSH y enviando una solicitud env maliciosa de cadena dividida si el servidor SSH integrado está activado. Las instalaciones de Windows no se ven afectadas.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 3.1 | Primary | cve.org | 9.9 | — | — | CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N |
| 3.1 | Primary | NVD | 9.9 | 3.1 | 6.0 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | Primary | cve.org | 9.9 | — | — | CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N |
| 3.1 | Secondary | NVD | 9.9 | 3.1 | 6.0 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | Secondary | GHSA | 9.9 | — | — | CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N |