In a recent disclosure on the joint development platform Gogs, a critical vulnerability was revealed with a hazard level of 10 out of 10. This vulnerability allows non-privileged Gogs users to execute arbitrary commands on the server using the user rights specified through the Run_user parameter in the Gogs configuration. The issue stems from an incomplete fix for a previously disclosed vulnerability CVE-2024-39931 in December. The vulnerability has been addressed in the update to Gogs 0.13.3.
The vulnerability arises from the ability to manipulate files in the .git directory from the Web editor of the repositories. Despite efforts to address this in a December fix, file deletions within the .git directory were not fully blocked. Specifically, the check for file deletions within the .git directory did not account for symbolic links. By creating a symbolic link to the .git directory and using it to remove contents, users could bypass the intended file deletion checks and directly manipulate the .git directory.