Critical Vulnerabilities Found in Gogs Self-Hosted Git Service: Urgent Update Required
Multiple critical security vulnerabilities have been discovered in Gogs, a popular open-source self-hosted Git service. These vulnerabilities, with CVSS scores ranging from 7.7 to 9.9, could allow attackers to execute arbitrary code, gain unauthorized access, and steal sensitive data.
Vulnerabilities and Impacts:
- CVE-2024-55947 (CVSS 8.7): Allows attackers to write files to arbitrary paths, potentially granting SSH access to the server.
- CVE-2024-39930 (CVSS 9.9): Enables unprivileged users to execute commands with elevated privileges when the built-in SSH server is enabled.
- CVE-2024-39931 (CVSS 9.9): Permits unprivileged users to delete internal files, potentially leading to system compromise.
- CVE-2024-39932 (CVSS 9.9): Allows attackers to write to arbitrary files, potentially facilitating a forced re-installation and granting administrator rights.
- CVE-2024-39933 (CVSS 7.7): Enables unprivileged users to read arbitrary files, including configuration files containing database credentials and TLS certificates.
- CVE-2024-54148 (CVSS 8.7): Allows attackers to gain SSH access to the server by manipulating symlink files.
Urgent Action Needed:
Users of Gogs are strongly urged to update their installations to version 0.13.1 or the latest 0.14.0+dev immediately. These updates address the identified vulnerabilities and provide crucial security fixes.
Workarounds:
In the absence of an immediate update, it is crucial to limit access to your Gogs instance to trusted users only. For CVE-2024-39930, disabling the built-in SSH server on non-Windows systems is recommended.