cbcvebase.
CVE-2024-39930
published 2024-07-04

CVE-2024-39930: The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can…

PriorityP274critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
7.26%
93.6th percentile
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.

Affected

4 ranges
VendorProductVersion rangeFixed in
github.comgogs_gogs0 – 0.13.0
gogs.iogogs>= 0 < 0.13.10.13.1
gogs.iogogs>= 0 < 0.14.30.14.3
gogsgogs<= 0.13.0

Detection & IOCsextracted from sources · hover to see the quote

pathinternal/ssh/ssh.go
pathinternal/database/pull.go
pathinternal/route/repo/pull.go
command--exec=touch${IFS}/tmp/rce_proof
commandgit rebase --quiet '--exec=touch${IFS}/tmp/rce_proof' 'head_repo/feature'
command--exec=echo${IFS}|base64${IFS}-d|sh
command--exec=sh${IFS}.abcdef
  • Detect SSH environment variable injection: monitor SSH sessions where an environment variable named '--split-string' is set, which is the core exploitation mechanism for CVE-2024-39930.
  • Alert on SSH exec_command calls to 'git-upload-pack' immediately following environment variable injection attempts, as this is the exploit delivery sequence.
  • Detect git rebase commands where the base branch argument begins with '--exec=', indicating argument injection into the rebase call from a malicious branch name.
  • Monitor for branch names containing '--exec=' in Git ref creation events (refs/heads/), as the attacker must push the malicious branch to the repo before triggering the exploit.
  • Look for HTTP 500 responses from the Gogs server following a pull request merge attempt using 'Rebase before merging'; the RCE fires at Step 3 before the 500 is returned at Step 5.
  • Detect use of ${IFS} in Git branch names or rebase arguments as a space-bypass technique used to pass shell commands through Git's branch name restrictions.
  • On Windows targets, watch for a hidden script file (e.g. '.abcdef') committed to a repository combined with a branch name matching '--exec=sh${IFS}.abcdef', indicating the file-based Windows payload delivery method.
  • Rapid7 provides a Metasploit module for this vulnerability; detect automated exploitation attempts by correlating rapid sequential API calls to /api/v1/user/repos (repo creation), /api/v1/user/keys (SSH key addition), and SSH connection from the same source.
  • ·The SSH-based attack vector (CVE-2024-39930) only applies when the Gogs built-in SSH server is enabled; Windows installations are unaffected by this specific vector.
  • ·The rebase merge attack path requires 'Rebase before merging' (PullsAllowRebase) to be enabled on a repository; however, any repo owner can enable it themselves, so restricting repo creation is the most effective mitigation.
  • ·Auditing or disabling rebase merge per-repo is not an effective defense against a malicious repo owner, since they can re-enable the setting at will.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
ghsa9.9CRITICAL
osv9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.