The recent release of GOGS 0.13.2 has addressed 6 vulnerabilities, with 5 of them classified as critical (10 out of 10). The fixed vulnerabilities in this joint development platform prevent unauthorized users from executing code on the server, altering data in other users’ repositories, or gaining SSH access. Initial assessments indicate that these vulnerabilities do not impact forgejo and gitea, which are the successor platforms to Gogs fork initiated in 2016.
Identified Problems:
- CVE-2024-39931 – Vulnerability that restricts file loading to the .git directory in the Web editor of repositories. This vulnerability allows unauthorized commands to be executed on the server with user rights specified through the Run_user parameter in GOGS configuration, enabling access to and modification of code of other service users.
- CVE-2024-55947 – Vulnerability in the Web-editor of the repository that allows bypassing of Git basic directory. This allows local GOGS users to overwrite files on the server, within the privileges granted to the file download processor in GOGS (Run_user), potentially leading to configuration file changes and SSH server access.
- CVE-2024-54148 – Details of this vulnerability are yet to be disclosed.
/Reports, release notes, official announcements.