Full Report
Soko is Go software for publishing Gentoo Linux packages. It uses an ORM which should in theory make us safe against SQL injection attacks. However, the code authors were misusing the prepared statements API. Instead of having the ORM do the SQL query mapping, they were concatenating user controlled data directly into OrderExpr. As a result, the escaping wouldn't be done. This leads to a trivial SQL injection within search functionality, leading to arbitrary database leakage. The package also supported stacked queries! This allows for the finishing of a query to start a new SQL call. The COPY FROM PROGRAM feature to execute arbitrary code on the system. The feature for RCE is a privileged entity. However, since it's run in a Docker container, the executing user is root, bypassing these checks. It's interesting that using as root in a docker container had some serious consequences. Overall, a good and snappy post on finding SQLi in weird places.
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Gogs (RCE, Path Traversal, and Argument Injection)
## CVE Details
- **CVE ID:**
- CVE-2024-39930 (Argument Injection - SSH)
- CVE-2024-39931 (Path Traversal/File Deletion)
- CVE-2024-39932 (Argument Injection - Changes Preview)
- CVE-2024-39933 (Argument Injection - Tagging)
- **CVSS Score:** 9.9 for CVE-2024-39930, 39931, 39932 (Critical); 7.7 for CVE-2024-39933 (High)
- **CWE:** CWE-88 (Argument Injection), CWE-22 (Path Traversal)
## Affected Systems
- **Products:** Gogs (Open-source self-hosted Git service)
- **Versions:** All versions up to and including **0.13.0** and commit `5bdf91e`.
- **Configurations:**
- CVE-2024-39930 requires the built-in SSH server to be enabled.
- CVE-2024-39931 and CVE-2024-39932 are exploitable in **default configurations**.
- All vulnerabilities require an authenticated user account.
## Vulnerability Description
Gogs suffers from several input validation failures when passing data to system commands (specifically Git and OS file operations):
- **CVE-2024-39931 (File Deletion):** A path traversal flaw in the web UI's file deletion feature. While `pathutil.Clean` is used, the logic fails to prevent attackers from using manipulated paths to delete internal system files outside the repository scope.
- **CVE-2024-39932 (Argument Injection):** Occurs during the "changes preview" functionality. User-controlled branch names or parameters are passed to Git commands without sufficient sanitization, allowing an attacker to inject additional flags (e.g., `--ext-diff`) to execute arbitrary binaries.
- **CVE-2024-39930 (SSH Injection):** Misinterpretation of environment variables/arguments in the built-in SSH server allows for command execution.
## Exploitation
- **Status:** PoC available (documented by SonarSource researchers); not currently confirmed in the wild.
- **Complexity:** Low (for authenticated users).
- **Attack Vector:** Network (Web UI/SSH).
## Impact
- **Confidentiality:** High (Full access to all source code, configuration secrets, and database credentials).
- **Integrity:** High (Ability to modify source code, plant backdoors, or delete all repositories).
- **Availability:** High (Ability to wipe the server or delete critical internal files).
## Remediation
### Patches
**No official patches are available.** The maintainers have ceased communication and have not fixed the issues in the latest release.
- *Note:* Users are advised to monitor the Gogs GitHub repository for community-contributed patches or consider migrating to more actively maintained forks like Gitea.
### Workarounds
- **Disable Built-in SSH:** Use the system's OpenSSH server instead of Gogs' internal SSH to mitigate CVE-2024-39930.
- **Restrict Access:** Limit account creation and ensure only trusted users have access to the instance.
- **Run as Unprivileged User:** Ensure Gogs is running as a dedicated, low-privilege user (`RUN_USER`) to limit the impact of RCE.
## Detection
- **Indicators of Compromise:**
- Audit logs showing unusual file deletion patterns or requests to `/_delete/` with traversal sequences.
- Unexpected Git processes spawned with flags like `--output`, `--exec`, or `--ext-diff`.
- **Detection methods:** Monitor system calls and process trees originating from the Gogs service user.
## References
- **Researcher Blog:** hxxps[://]www[.]sonarsource[.]com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-2/
- **NVD Entries:**
- hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2024-39930
- hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2024-39931
- hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2024-39932