CVE-2024-56731

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.13.3

Description Gogs, an open-source self-hosted Git service, contains a flaw where unprivileged user accounts can execute arbitrary commands on the Gogs instance. This is due to an insufficient patch for a previous issue, allowing attackers to delete files within the .git directory and achieve remote command execution. The issue stems from a lack of checks for symbolic links, enabling attackers to bypass the intended security measures. Attackers can potentially access and modify any user's code hosted on the same instance, executing commands with the privileges of the account specified by the RUN USER configuration variable.

Recommendations Versions prior to 0.13.3 should be updated to version 0.13.3 or later.