CVE-2024-39931

Critical

Gogs through 0.13.0 allows deletion of internal files.

mitre·CWE-552·Published 2024-07-04

CVSS

9.9

EPSS

0.51

KEV

Exploits

cve.orgen

54 chars

Gogs through 0.13.0 allows deletion of internal files.

NVDen

54 chars

Gogs through 0.13.0 allows deletion of internal files.

OSV.deven

62 chars

Gogs allows deletion of internal files in github.com/gogs/gogs

GHSAen

615 chars

### Impact Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by `RUN_USER` in the configuration. It allows attackers to access and alter any users' code hosted on the same instance. ### Patches Deletion of `.git` files has been prohibited (https://github.com/gogs/gogs/pull/7870). Users should upgrade to 0.13.1 or the latest 0.14.0+dev. ### Workarounds No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions. ### References https://www.cve.org/CVERecord?id=CVE-2024-39931

NVDes

62 chars

Gogs hasta 0.13.0 permite la eliminación de archivos internos.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
3.1	Primary	cve.org	9.9	—	—	CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N
3.1	Primary	NVD	9.9	3.1	6.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H