CVE-2024-39933

Name of the Vulnerable Software and Affected Versions Gogs versions 0.13.0 and earlier

Description The issue is related to argument injection during the tagging of a new release. This could allow a remote attacker to disclose protected information. Unprivileged user accounts with at least one SSH key can read arbitrary files on the system, potentially leaking configuration files with database credentials, such as [database] and [security] SECRET KEY, as well as exfiltrating TLS certificates, other users' repositories, and the Gogs database when the SQLite driver is enabled.

Recommendations For Gogs versions 0.13.0 and earlier, upgrade to version 0.13.1 or the latest 0.14.0+dev to resolve the issue. As a temporary measure, only grant access to trusted users to your Gogs instance on affected versions, as there is no viable workaround available.