EUVD-2024-54695
GHSA-wj44-9vcg-wjq7
Severity by source
Sources disagree (Low–Critical)AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version 0.13.3.
AnalysisAI
CVE-2024-56731 is a critical remote code execution vulnerability in Gogs (self-hosted Git service) versions prior to 0.13.3, where unprivileged users can delete files in the .git directory and achieve arbitrary command execution due to an incomplete patch of CVE-2024-39931. An unauthenticated remote attacker can execute arbitrary commands with the privileges of the RUN_USER account, compromising all code repositories and user data on affected instances. This represents an actively exploitable vulnerability with a perfect CVSS 3.1 score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating network accessibility, low attack complexity, no privilege requirements, and complete system compromise.
Technical ContextAI
Gogs is an open-source Git version control service written in Go that allows self-hosted git repository management. The vulnerability exploits insufficient validation in file deletion operations within git repository management, specifically allowing manipulation of the .git directory structure. This vulnerability relates to CWE-552 (Files or Directories Accessible to External Parties), indicating improper access control on critical git metadata. The root cause stems from an incomplete security patch for CVE-2024-39931, suggesting the original mitigation did not adequately restrict all attack vectors for .git directory manipulation. The vulnerability allows attackers to delete critical git internal files (hooks, objects, refs), which can be leveraged to inject malicious git hooks that execute arbitrary commands when git operations occur. Affected CPE: cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:* (versions < 0.13.3).
RemediationAI
patch: Upgrade Gogs to version 0.13.3 or later immediately; priority: CRITICAL; details: Download and deploy Gogs 0.13.3+ from official repository (https://github.com/gogs/gogs) workaround: Restrict network access to Gogs service; priority: IMMEDIATE; details: Implement network segmentation, firewall rules, or VPN requirements to limit access to trusted networks only while patch is being deployed workaround: Disable repository operations if possible; priority: HIGH; details: Temporarily restrict git push/pull operations or place Gogs instance in read-only mode until patched detection: Monitor for suspicious .git directory modifications; priority: HIGH; details: Implement file integrity monitoring on .git directories and audit logs for deletion operations on git internal files hardening: Review RUN_USER privileges; priority: MEDIUM; details: Ensure RUN_USER account operates with minimal necessary privileges; use containerization/sandboxing to limit impact of code execution
Vendor StatusVendor
SUSE
Severity: Low| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today