Four unpatched security flaws, including three critical ones, have been disclosed in the Gogs open-source, self-hosted Git service. These vulnerabilities could enable an authenticated attacker to breach susceptible instances, steal or wipe source code, and even plant backdoors.
According to SonarSource researchers Thomas Chauchefoin and Paul Gerste, the vulnerabilities are:
- CVE-2024-39930 (CVSS score: 9.9) – Argument injection in the built-in SSH server
- CVE-2024-39931 (CVSS score: 9.9) – Deletion of internal files
- CVE-2024-39932 (CVSS score: 9.9) – Argument injection during changes preview
- CVE-2024-39933 (CVSS score: 7.7) – Argument injection when tagging new releases
Successful exploitation of the first three flaws could allow an attacker to execute arbitrary commands on the Gogs server. The fourth flaw allows attackers to read arbitrary files, such as source code and configuration secrets.
In other words, by exploiting these issues, a threat actor could read source code, modify or delete any code, target internal hosts reachable from the Gogs server, and impersonate other users to gain more privileges.
All four vulnerabilities require the attacker to be authenticated. Additionally, triggering CVE-2024-39930 requires the built-in SSH server to be enabled, the use of the env binary, and the possession of a valid SSH private key.
“If the Gogs instance has registration enabled, the attacker can simply create an account and register their SSH key,” the researchers noted. “Otherwise, they would have to compromise another account or steal a user’s SSH private key.”
Gogs instances running on Windows are not exploitable, nor is the Docker image. However, those running on Debian and Ubuntu are vulnerable due to the env binary’s support for the “–split-string” option.
According to Shodan, around 7,300 Gogs instances are publicly accessible over the internet, with nearly 60% located in China, followed by the U.S., Germany, Russia, and Hong Kong.
Four unpatched Gogs Git flaws (CVE-2024-39930 to 39933) let attackers breach instances, steal/modify code, or plant backdoors.
Read more: https://t.co/Txa1zKlTri
~7,300 exposed instances; 60% in China. Users urged to disable SSH and registration.
— Mohit Kumar (@unix_root) July 8, 2024
It’s currently unclear how many of these exposed servers are vulnerable. SonarSource reported that the project maintainers “did not implement fixes and stopped communicating” after accepting the initial report on April 28, 2023.
In the absence of an update, users are advised to disable the built-in SSH server, turn off user registration to prevent mass exploitation, and consider switching to Gitea. SonarSource has also released a patch that users can apply, but it hasn’t been extensively tested.
This disclosure coincides with findings from Aqua Security, highlighting that sensitive information like access tokens and passwords can remain permanently exposed in Git-based source code management systems, even after removal.
In light of these findings, users are urged to take immediate protective measures to secure their Gogs instances.
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
