CRITICAL🇵🇱 Wersja polska

CVE-2024-56731

CVSS 10.0v3.1pub. 2025-06-24upd. 2025-08-21

Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version 0.13.3.

🤖 AI Analysis
How it works

The vulnerability results from incomplete security measures introduced as part of the patch for CVE-2024-39931 — the protection mechanism does not effectively block file deletion operations within the .git directory of a repository. An unprivileged user account can manipulate the contents of the .git directory, leading to the execution of arbitrary commands on the Gogs instance. Commands are executed with the permissions of the system account specified by the RUN_USER parameter in the service configuration.

Impact

An attacker can execute arbitrary system commands on the Gogs server and gain access to source code and modify repositories of all users hosted on the same instance.

Mitigation & patch

Gogs should be updated to version 0.13.3, where the vulnerability has been patched. The patch is available in the project's GitHub repository (tag v0.13.3).

Who is affected

Gogs in versions prior to 0.13.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Gogs

    APP
    Gogs
    < 0.13.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-25921CRITICAL9.3PL ✓ten sam produkt

Gogs: nadpisywanie obiektów LFS między repozytoriami – atak na łańcuch dostaw

CVE-2025-64111CRITICAL9.3PL ✓ten sam produkt

Gogs: ominięcie patcha CVE-2024-56731 umożliwia RCE przez .git

CVE-2022-1884CRITICAL9.8PL ✓ten sam produkt

RCE w Gogs poprzez command injection w parametrze tree_path (Windows)

CVE-2024-39930CRITICAL9.9PL ✓ten sam produkt

Argument injection w serwerze SSH Gogs prowadzący do RCE

CVE-2024-39931CRITICAL9.9PL ✓ten sam produkt

Gogs – nieautoryzowane usuwanie plików wewnętrznych (CWE-552)