Gogs Remote Command Execution Vulnerability (CVE-2024-56731)

Recently, NSFOCUS CERT detected that Gogs issued a security bulletin and fixed the Gogs remote command execution vulnerability (CVE-2024-56731); due to the incomplete CVE-2024-39931 fix, an authenticated attacker can delete files in the .git directory through symbolic links and execute arbitrary commands on the Gogs instance using the account permissions specified by RUN_USER in the configuration, thereby accessing and modifying the code of any user hosted on the same instance. The CVSS score is 10.0, affected users should take protective measures as soon as possible.

Gogs (Go Git Service) is a self-service Git service developed in the Go language, designed to build a simple, stable and scalable code hosting platform in the easiest way.

Reference link: Gogs Security Advisory

To read the complete article see: NSFocus Global