CVE-2024-39930

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
04/07/2024
Last modified:
11/04/2025

Description

The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:* 0.13.0 (including)