Full Report
Researcher reported the vuln in March. Maintainers haven't responded to his messages since
Analysis Summary
# Vulnerability: Authenticated Remote Code Execution in Gogs via Argument Injection
## CVE Details
- **CVE ID:** CVE-2024-39930
- **CVSS Score:** 9.4 (Critical)
- **CWE:** CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
## Affected Systems
- **Products:** Gogs (Self-hosted Git service)
- **Versions:** All versions prior to the application of the pending security pull request (affects all supported platforms including Windows, Linux, and macOS).
- **Configurations:** Default installations are vulnerable; the flaw is triggered during the pull request merge flow when "Rebase before merging" is enabled.
## Vulnerability Description
The vulnerability exists in the `Merge()` function within `internal/database/pull.go`. When a pull request is processed, the application passes the base branch name directly to a `git rebase` command. Gogs fails to provide a `--` separator to signify the end of command options and does not properly sanitize the branch name.
An attacker can create a branch with a name starting with a dash (e.g., `--exec=...`). Git interprets this branch name as a command-line flag rather than a reference, leading to arbitrary command execution on the host server.
## Exploitation
- **Status:** PoC available (Metasploit module released); no confirmed evidence of in-the-wild exploitation at the time of publication.
- **Complexity:** Low (Authenticated)
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full access to server, credentials, and MFA secrets)
- **Integrity:** High (Ability to modify code in hosted repositories)
- **Availability:** High (Potential for complete server takeover)
## Remediation
### Patches
- **Official Patch:** As of May 29, 2024, no official patch has been released by the Gogs maintainers. A community-suggested fix has been submitted via a Pull Request and is awaiting review.
### Workarounds
* **Restrict User Registration:** Set `DISABLE_REGISTRATION = true` in `app.ini` to prevent unauthorized account creation.
* **Restrict Repository Creation:** Set `MAX_CREATION_LIMIT = 0` in `app.ini`.
* **Disable Rebase Merging:** Disable "Rebase before merging" under **Settings > Advanced**. *Note: This is not a global setting and can be re-enabled by any user with repository admin rights.*
## Detection
- **Indicators of Compromise:** Audit system logs for unusual `git rebase` commands containing `--exec` flags or suspicious branch names starting with dashes.
- **Detection Methods:** Monitor for unexpected child processes spawned by the Gogs service, particularly shell executions (e.g., `/bin/sh`, `cmd.exe`) originating from the Git process.
## References
- **Rapid7 Analysis:** hxxps://www[.]rapid7[.]com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/
- **GitHub Advisory:** hxxps://github[.]com/gogs/gogs/security/advisories/GHSA-qf6p-p7ww-cwr9
- **Metasploit Module PR:** hxxps://github[.]com/rapid7/metasploit-framework/pull/21515