Platform
go
Component
gogs.io/gogs
Fixed in
0.13.2
0.13.1
CVE-2024-54148 is a critical Remote Command Execution (RCE) vulnerability discovered in gogs.io/gogs, a self-hosted Git service. This vulnerability allows an attacker to execute arbitrary commands on the server through manipulation of file editing functionality. Versions of Gogs prior to 0.13.1 are affected. A patch has been released in version 0.13.1.
The impact of CVE-2024-54148 is severe. An unauthenticated attacker can exploit this vulnerability to execute arbitrary commands on the Gogs server. This could lead to complete system compromise, including data exfiltration, malware installation, and denial of service. The attacker could potentially gain persistent access to the server and compromise other systems on the network if the Gogs server has access to internal resources. This vulnerability is particularly concerning given the potential for remote, unauthenticated exploitation.
CVE-2024-54148 has been published on 2025-01-07. The vulnerability is considered highly exploitable due to its RCE nature and lack of authentication requirements. Public proof-of-concept (POC) code is likely to emerge, increasing the risk of exploitation. The EPSS score is expected to be high, reflecting the significant risk posed by this vulnerability.
Exploit Status
EPSS
0.47% (65% percentile)
CVSS Vector
The primary mitigation for CVE-2024-54148 is to upgrade Gogs to version 0.13.1 or later. If immediate upgrading is not possible, consider restricting file editing access to trusted users only. Implement strict input validation on all file editing parameters to prevent command injection. Monitor Gogs logs for suspicious activity, particularly related to file modifications. While a WAF may offer some protection, it is not a substitute for patching the vulnerability.
Update Gogs to version 0.13.1 or higher. This version fixes the path traversal vulnerability that allows malicious users to obtain SSH access to the server. The update prevents exploitation of manipulated symlinks in repositories.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-54148 is a critical Remote Command Execution vulnerability in gogs.io/gogs, allowing attackers to execute commands on the server through file editing. It affects versions before 0.13.1.
Yes, if you are running gogs.io/gogs version 0.13.0 or earlier, you are vulnerable. Upgrade to 0.13.1 or later to mitigate the risk.
Upgrade gogs.io/gogs to version 0.13.1 or later. If immediate upgrade is not possible, restrict file editing access and implement strict input validation.
While no active exploitation has been publicly confirmed, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted soon.
Refer to the official gogs.io/gogs security advisories on their website or GitHub repository for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.