In a recent discovery by SonarSource researchers Thomas Chauchefoin and Paul Gerste, four unpatched security vulnerabilities, including three critical ones, have been exposed in the Gogs open-source, self-hosted Git service. These flaws pose a serious threat, allowing authenticated attackers to breach susceptible instances, steal or delete source code, and even implant backdoors.

The vulnerabilities identified are as follows:

- CVE-2024-39930: Argument injection in the built-in SSH server (CVSS score: 9.9)
- CVE-2024-39931: Deletion of internal files (CVSS score: 9.9)
- CVE-2024-39932: Argument injection during changes preview (CVSS score: 9.9)
- CVE-2024-39933: Argument injection when tagging new releases (CVSS score: 7.7)

Exploiting the first three flaws would enable attackers to execute arbitrary commands on the Gogs server, while the fourth flaw allows them to access sensitive files such as source code and configuration secrets. This essentially means that a threat actor could read, modify, or delete code, target internal hosts, and even impersonate other users to gain further privileges. It is important to note that all four vulnerabilities require the attacker to be authenticated.

However, triggering CVE-2024-39930 requires the built-in SSH server to be enabled, a specific version of the env binary to be used, and the attacker to possess a valid SSH private key. In cases where the Gogs instance has registration enabled, the attacker can simply create an account and register their SSH key. Otherwise, compromising another account or stealing a user's SSH private key would be necessary.

Notably, Gogs instances on Windows and the Docker image are not exploitable. The vulnerability lies in Gogs instances running on Debian and Ubuntu due to the "--split-string" option supported by the env binary.

Based on data from Shodan, approximately 7,300 publicly accessible Gogs instances are found on the internet. About 60% of them are located in China, followed by the U.S., Germany, Russia, and Hong Kong. The exact number of vulnerable servers within this pool is yet to be determined, and SonarSource has no information regarding any current exploitation occurring in the wild.

The project maintainers of Gogs have been unresponsive since accepting SonarSource's initial report on April 28, 2023, without implementing any fixes or communicating updates. As a result, users are advised to take precautionary measures, including disabling the built-in SSH server, turning off user registration to mitigate mass exploitation, and considering a switch to Gitea, an alternative Git service. SonarSource has provided a patch, although its thorough testing has not been conducted.

In other security-related news, cloud security firm Aqua recently disclosed a concerning issue known as "phantom secrets." It has been discovered that sensitive information, such as access tokens and passwords, can remain permanently exposed even after removal from Git-based source code management (SCM) systems. These "phantom secrets" are inaccessible to conventional scanning methods and can only be accessed through specific commands or cached views of SCM platforms. Immediate attention is necessary to address this blind spot in scanning tools.

As both Gogs users and developers grapple with security concerns, it becomes vital to prioritize the implementation of recommended precautions and measures to safeguard data and prevent unauthorized access.

Note: All information provided in this article is based on the data and findings available in the provided context.