Duplicate Advisory: github.com/gogs/gogs affected by CVE-2024-39930
Critical severity
GitHub Reviewed
Published
Jul 4, 2024
to the GitHub Advisory Database
•
Updated Dec 23, 2024
Withdrawn
This advisory was withdrawn on Dec 23, 2024
Description
Published by the National Vulnerability Database
Jul 4, 2024
Published to the GitHub Advisory Database
Jul 4, 2024
Reviewed
Jul 10, 2024
Withdrawn
Dec 23, 2024
Last updated
Dec 23, 2024
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-vm62-9jw3-c8w3. This link is maintained to preserve external references.
Original Description
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.
References