Duplicate Advisory: github.com/gogs/gogs affected by CVE-2024-39930
        
  Critical severity
        
          GitHub Reviewed
      
        Published
          Jul 4, 2024 
          to the GitHub Advisory Database
          •
          Updated Dec 23, 2024 
      
  
  
      Withdrawn
      This advisory was withdrawn on Dec 23, 2024
  
    
      Description
        Published by the National Vulnerability Database
      Jul 4, 2024 
    
  
        Published to the GitHub Advisory Database
      Jul 4, 2024 
    
  
        Reviewed
      Jul 10, 2024 
    
  
        Withdrawn
      Dec 23, 2024 
    
  
        Last updated
      Dec 23, 2024 
    
  
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-vm62-9jw3-c8w3. This link is maintained to preserve external references.
Original Description
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.
References