Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN393
_____________________________________________________________________

DATE                : 25/06/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Gogs.

=====================================================================
https://github.com/gogs/gogs/security/advisories/GHSA-wj44-9vcg-wjq7
_____________________________________________________________________


Deletion of internal files allows remote command execution
Critical
unknwon published GHSA-wj44-9vcg-wjq7 Jun 24, 2025

Package
gogs.io/gogs (Go)

Affected versions
<=0.13.2

Patched versions
None


Description

Summary

Due to the insufficient patch for the CVE-2024-39931, it's still
possible to delete files under the .git directory and achieve remote
command execution.


Details

In the patch for CVE-2024-39931, the following check is added:
77a4a94

+	// 🚨 SECURITY: Prevent uploading files into the ".git" directory
+	if isRepositoryGitPath(opts.TreePath) {
+		return errors.Errorf("bad tree path %q", opts.TreePath)
+	}

While the above code snippet checks if the specified path is a .git
directory, there are no checks for symbolic links in the later steps.
So, by creating a symbolic link that points to the .git directory, an
attacker can still delete arbitrary files in the .git directory and
achieve remote command execution.


Impact

Unprivileged user accounts can execute arbitrary commands on the Gogs
instance with the privileges of the account specified by RUN_USER in
the configuration. It allows attackers to access and alter any users'
code hosted on the same instance.


Severity
Critical
10.0/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE ID
CVE-2024-56731

Weaknesses
No CWEs


Credits

    @Ry0taK Ry0taK Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================