Main Vulnerability Database Vulnerabilities #VU128074

Input validation error in gogs - CVE-2024-39933

Published: December 23, 2024 / Updated: April 27, 2026

Vulnerability identifier: #VU128074

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-39933

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: gogs.io

Affected software:
gogs

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper input validation in the release tagging functionality when creating new tags. A remote user can inject unintended Git options to read arbitrary files on the system and disclose sensitive information.

Exploitation requires an account with at least one SSH key.

How to mitigate CVE-2024-39933

Install security update from vendor's website.

Sources

https://github.com/gogs/gogs/security/advisories/GHSA-m27m-h5gj-wwmg
https://www.cve.org/CVERecord?id=CVE-2024-39933

Input validation error in gogs - CVE-2024-39933

Detailed vulnerability description

How to mitigate CVE-2024-39933

Sources

Please verify you're human