Avoid gettings your Gogs instance hacked after CVE-2024-39930

Submitted by Frederic Marand on

If you are using the Gogs git server and just apply updates automatically without Reading The Fine Manual, your server automatically became vulnerable with the 0.13 releases.

The problem

In that version config section [service] was removed, after having been deprecated in the 0.12 releases, in which it was renamed to [auth].

If you did not update your config fields, the update switched your config to enabling auto-registration and other things you may not want.

Specifically, this enables auto-registration, which furthers enabled 4 severe exploits

  • CVE-2024-39930 (CVSS score: 9.9) - Argument injection in the built-in SSH server
  • CVE-2024-39931 (CVSS score: 9.9) - Deletion of internal files
  • CVE-2024-39932 (CVSS score: 9.9) - Argument injection during changes preview
  • CVE-2024-39933 (CVSS score: 7.7) - Argument injection when tagging new releases

The fix

You probably want to read the changelog at https://github.com/gogs/gogs/blob/main/CHANGELOG.md and update your configuration file accordingly. That is, renaming your [service] section to [auth] and reviewing your settings there while you are at it.

Once this is done, check user accounts on your Gogs servers. If any new accounts registered, you will need to audit the underlying server looking for traces of further modifications, like unidentified processes running, e.g. crypto miners, access to further SSH keys, and the like.

The reminder

RTFM is not just for initial install : it is also for release notes. Each and every one of those.