Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-m27m-h5gj-wwmg

GitHub Security Advisory

Gogs allows argument Injection when tagging new releases

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact

Unprivileged user accounts with at least one SSH key can read arbitrary files on the system. For instance, they could leak the configuration files that could contain database credentials (`[database] *`) and `[security] SECRET_KEY`. Attackers could also exfiltrate TLS certificates, other users' repositories, and the Gogs database when the SQLite driver is enabled.

### Patches

Unintended Git options has been ignored for creating tags (https://github.com/gogs/gogs/pull/7872). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.

### Workarounds

No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.

### References

https://www.cve.org/CVERecord?id=CVE-2024-39933

Affected Packages

Go gogs.io/gogs
Affected versions: 0 (fixed in 0.13.1)

Related CVEs

CVE-2024-39933

Key Information

GHSA ID
GHSA-m27m-h5gj-wwmg
Published
December 23, 2024 8:38 PM
Last Modified
December 23, 2024 8:38 PM
CVSS Score
7.5 /10
Primary Ecosystem
Go
Primary Package
gogs.io/gogs
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 13, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.