CVE-2024-39933: 
Gogs vulnerability analysis and mitigation

Gogs through version 0.13.0 contains a security vulnerability (CVE-2024-39933) that allows argument injection during the tagging of a new release. The vulnerability was discovered in July 2024 and affects all versions up to and including 0.13.0 (NVD, SonarSource).

The vulnerability has been assigned a CVSS v3.1 base score of 7.7 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. It is classified as an Argument Injection vulnerability (CWE-88) that allows unprivileged users to read arbitrary files, including configuration files containing database credentials and TLS certificates (SecurityOnline, NVD).

The vulnerability enables attackers to read arbitrary files from the Gogs server, including sensitive source code and configuration secrets. This access could potentially allow attackers to impersonate other users and gain elevated privileges (Hacker News).

Users are recommended to upgrade to version 0.13.2, which includes fixes for this vulnerability. For those unable to upgrade immediately, it is recommended to disable user registration to prevent mass exploitation and limit access to trusted users only (Hacker News).

The security community has expressed concern about the vulnerability, particularly because the project maintainers initially stopped communicating after accepting the initial report on April 28, 2023. SonarSource, which discovered the vulnerability, released their findings after the standard 90-day disclosure period (SonarSource).