The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.
References
Configurations
No configuration.
History
28 Aug 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
12 Aug 2024, 19:35
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-88 |
05 Jul 2024, 12:55
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
04 Jul 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-07-04 16:15
Updated : 2024-08-28 16:15
NVD link : CVE-2024-39930
Mitre link : CVE-2024-39930
CVE.ORG link : CVE-2024-39930
JSON object : View
Products Affected
No product.
CWE
CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')