Plattform
go
Komponente
gogs.io/gogs
Behoben in
0.13.2
0.13.1
CVE-2024-55947 describes a Path Traversal vulnerability discovered in Gogs, a self-hosted Git service. This flaw allows unauthorized access to sensitive files on the server, potentially exposing configuration data, source code, or other critical information. The vulnerability affects versions of Gogs prior to 0.13.1, and a patch has been released to address the issue.
The Path Traversal vulnerability in Gogs allows an attacker to bypass intended access restrictions and read files outside of the intended directory. By manipulating the file update API, an attacker can craft requests that include malicious path sequences (e.g., ../..) to traverse the file system. Successful exploitation could lead to the disclosure of sensitive data, including database credentials, private keys, and application source code. The impact is particularly severe if the Gogs instance is deployed in a production environment or handles sensitive user data. This vulnerability is similar in concept to other path traversal flaws, where attackers leverage improper input validation to gain unauthorized access.
CVE-2024-55947 was published on 2025-01-07. As of this date, no public proof-of-concept exploits are known. The EPSS score is currently pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Organizations running self-hosted gogs.io/gogs instances, particularly those with publicly accessible file upload endpoints, are at risk. Environments with weak input validation or insufficient access controls are especially vulnerable.
• linux / server:
find /var/www/gogs -name '*gogs.io/gogs*' -type f -print0 | xargs -0 grep -i 'path..'• generic web:
curl -I 'http://your-gogs-server/update_file?path=../../../../etc/passwd' # Check for 200 OK response indicating successful accessdisclosure
Exploit-Status
EPSS
79.35% (99% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-55947 is to upgrade Gogs to version 0.13.1 or later, which includes the necessary fix. If immediate upgrading is not feasible, consider implementing temporary workarounds such as restricting file upload permissions and carefully validating user-supplied file paths within the application code. Employing a Web Application Firewall (WAF) with path traversal detection rules can also help to block malicious requests. Regularly review and update Gogs' configuration to minimize the attack surface.
Actualice Gogs a la versión 0.13.1 o posterior. Esta versión corrige la vulnerabilidad de path traversal que permite la escritura de archivos arbitrarios en el servidor. La actualización previene el acceso SSH no autorizado al servidor.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-55947 is a Path Traversal vulnerability in gogs.io/gogs allowing attackers to read arbitrary files. It impacts versions before 0.13.1 and has a CVSS score of 8.8.
You are affected if you are running gogs.io/gogs versions prior to 0.13.1. Check your version and upgrade immediately.
Upgrade gogs.io/gogs to version 0.13.1 or later to patch the vulnerability. Consider temporary workarounds like restricting file upload locations if immediate upgrade is not possible.
As of 2025-01-07, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants caution.
Refer to the official gogs.io/gogs release notes and security advisories on their website for details and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.