CVE-2024-39930

Name of the Vulnerable Software and Affected Versions Gogs versions 0.13.0 and earlier

Description The built-in SSH server of Gogs allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Approximately 7,300 exposed instances are affected, with 60% located in China. Users are urged to disable SSH and registration to minimize the risk.

Recommendations For Gogs versions 0.13.0 and earlier, upgrade to version 0.13.1 or the latest 0.14.0+dev to resolve the issue. As a temporary workaround, consider disabling the built-in SSH server on operating systems other than Windows. Restrict access to the internal SSH server to minimize the risk of exploitation. Avoid using the --split-string env request in the affected SSH connection until the issue is resolved.