Gogs: >> Gogs >> 0.11.43 Security Vulnerabilities
Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version 0.13.3.
CVSS Score
10.0
EPSS Score
0.005
Published
2025-06-24
Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1.
CVSS Score
9.8
EPSS Score
0.006
Published
2024-12-23
Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1.
CVSS Score
8.8
EPSS Score
0.011
Published
2024-12-23
Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go.
CVSS Score
8.8
EPSS Score
0.163
Published
2024-11-15
A remote command execution vulnerability exists in gogs/gogs versions <=0.12.7 when deployed on a Windows server. The vulnerability arises due to improper validation of the `tree_path` parameter during file uploads. An attacker can set `tree_path=.git.` to upload a file into the .git directory, allowing them to write or rewrite the `.git/config` file. If the `core.sshCommand` is set, this can lead to remote command execution.
CVSS Score
10.0
EPSS Score
0.101
Published
2024-11-15
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.
CVSS Score
9.9
EPSS Score
0.045
Published
2024-07-04
Gogs through 0.13.0 allows deletion of internal files.
CVSS Score
9.9
EPSS Score
0.072
Published
2024-07-04
Gogs through 0.13.0 allows argument injection during the previewing of changes.
CVSS Score
9.9
EPSS Score
0.021
Published
2024-07-04
Gogs through 0.13.0 allows argument injection during the tagging of a new release.
CVSS Score
7.7
EPSS Score
0.002
Published
2024-07-04
OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11.
CVSS Score
9.8
EPSS Score
0.438
Published
2023-02-25
Page 1