Skip to main content

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

CVE-2024-39930

Severity High
Score 9.9/10

Summary

The built-in SSH server of gogs.io/gogs allows argument injection in "internal/ssh/ssh.go", leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious "--split-string" env request if the built-in SSH server is activated. Windows installations are unaffected.

  • LOW
  • NETWORK
  • HIGH
  • CHANGED
  • NONE
  • LOW
  • HIGH
  • HIGH

CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

References

Advisory Timeline

  • Published