cbcvebase.
CVE-2024-39932
published 2024-07-04

CVE-2024-39932: Gogs through 0.13.0 allows argument injection during the previewing of changes.

PriorityP271critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
17.18%
96.7th percentile
Gogs through 0.13.0 allows argument injection during the previewing of changes.

Affected

4 ranges
VendorProductVersion rangeFixed in
github.comgogs_gogs0 – 0.13.0
gogs.iogogs>= 0 < 0.13.10.13.1
gogs.iogogs>= 0 < 0.14.30.14.3
gogsgogs<= 0.13.0

Detection & IOCsextracted from sources · hover to see the quote

commandgit rebase --quiet '--exec=touch${IFS}/tmp/rce_proof' 'head_repo/feature'
command--exec=touch${IFS}/tmp/rce_proof
command--exec=echo${IFS}|base64${IFS}-d|sh
command--exec=sh${IFS}.abcdef
pathinternal/database/pull.go
pathinternal/route/repo/pull.go
filename.abcdef
  • Detect HTTP 500 responses from Gogs server coinciding with pull request merge operations — the RCE fires at git rebase step (Step 3) before the merge aborts with a 500 error, making the 500 a post-exploitation artifact.
  • Alert on git branch names or PR base branch parameters beginning with '--exec=' in Gogs HTTP request logs or database entries, as this is the injection prefix used to trigger RCE via git rebase.
  • Monitor git rebase process invocations on the Gogs server for command-line arguments containing '--exec=' flags, especially those spawning sh -c child processes, as this is the RCE execution primitive.
  • Detect use of ${IFS} in Git branch names or PR parameters in Gogs — this is used to inject spaces into shell commands while bypassing Git's prohibition on spaces in branch names.
  • Monitor for new user account creation followed immediately by repository creation and enabling of 'Rebase before merging' (PullsAllowRebase) on Gogs instances with open registration — this is the self-contained unauthenticated-to-RCE exploit chain.
  • The exploit is fully automatable via a Metasploit module; correlate rapid sequential HTTP requests for account creation, repo creation, branch push, and PR merge on Gogs endpoints as a behavioral indicator.
  • ·Gogs ships with open registration enabled by default, meaning any unauthenticated user can create an account and exploit this vulnerability without admin interaction. Disabling registration (DISABLE_REGISTRATION = true in app.ini) is the most impactful mitigation.
  • ·On Docker installations, the Gogs process runs as the git user (UID 1000 by default), giving the attacker filesystem-level read/write access to every repository under a single REPOSITORY_ROOT directory with no OS-level isolation between repositories.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
ghsa9.9CRITICAL
osv9.9CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.