CVE-2024-56731

Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version 0.13.3.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/gogs/gogs/commit/77a4a945ae9a87f77e392e9066b560edb71b5de9	Patch
https://github.com/gogs/gogs/releases/tag/v0.13.3	Release Notes
https://github.com/gogs/gogs/security/advisories/GHSA-wj44-9vcg-wjq7	Vendor Advisory Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*

History

21 Aug 2025, 20:43

Type	Values Removed	Values Added
First Time		Gogs Gogs gogs
CPE		cpe:2.3:a:gogs:gogs::::::::
References	~~() https://github.com/gogs/gogs/commit/77a4a945ae9a87f77e392e9066b560edb71b5de9 -~~	() https://github.com/gogs/gogs/commit/77a4a945ae9a87f77e392e9066b560edb71b5de9 - Patch
References	~~() https://github.com/gogs/gogs/releases/tag/v0.13.3 -~~	() https://github.com/gogs/gogs/releases/tag/v0.13.3 - Release Notes
References	~~() https://github.com/gogs/gogs/security/advisories/GHSA-wj44-9vcg-wjq7 -~~	() https://github.com/gogs/gogs/security/advisories/GHSA-wj44-9vcg-wjq7 - Vendor Advisory, Patch

26 Jun 2025, 18:58

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-24 04:15

Updated : 2025-08-21 20:43

NVD link : CVE-2024-56731

Mitre link : CVE-2024-56731

CVE.ORG link : CVE-2024-56731

JSON object : View

Products Affected

gogs

gogs

CWE

CWE-552

Files or Directories Accessible to External Parties

{"id": "CVE-2024-56731", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-06-24T04:15:45.813", "references": [{"url": "https://github.com/gogs/gogs/commit/77a4a945ae9a87f77e392e9066b560edb71b5de9", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/gogs/gogs/releases/tag/v0.13.3", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/gogs/gogs/security/advisories/GHSA-wj44-9vcg-wjq7", "tags": ["Vendor Advisory", "Patch"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-552"}]}], "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version 0.13.3."}, {"lang": "es", "value": "Gogs es un servicio Git autoalojado de c\u00f3digo abierto. Antes de la versi\u00f3n 0.13.3, a\u00fan era posible eliminar archivos del directorio .git y ejecutar comandos de forma remota debido a un parche insuficiente para CVE-2024-39931. Las cuentas de usuario sin privilegios pueden ejecutar comandos arbitrarios en la instancia de Gogs con los privilegios de la cuenta especificada por RUN_USER en la configuraci\u00f3n. Esto permite a los atacantes acceder y modificar el c\u00f3digo de cualquier usuario alojado en la misma instancia. Este problema se ha corregido en la versi\u00f3n 0.13.3."}], "lastModified": "2025-08-21T20:43:18.773", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EAD63B5C-57D7-4EF7-A87B-9DCA949BD68B", "versionEndExcluding": "0.13.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}