CVE-2024-39931

Name of the Vulnerable Software and Affected Versions Gogs versions 0.13.0 and earlier

Description The issue allows an attacker to delete or modify arbitrary files on a vulnerable Gogs server. This can be exploited by a remote attacker. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN USER in the configuration, allowing access and alteration of any users' code hosted on the same instance.

Recommendations For Gogs versions 0.13.0 and earlier, upgrade to 0.13.1 or the latest 0.14.0+dev to resolve the issue. As a temporary workaround, consider granting access only to trusted users to your Gogs instance on affected versions.