Platform
go
Component
gogs.io/gogs
Fixed in
0.13.2
0.13.1
CVE-2024-55947 describes a Path Traversal vulnerability discovered in gogs.io/gogs, a self-hosted Git service. This flaw allows attackers to potentially read arbitrary files on the server, leading to sensitive data exposure. The vulnerability impacts versions of gogs prior to 0.13.1, and a patch has been released to address it.
The Path Traversal vulnerability in gogs.io/gogs allows an attacker to bypass intended file access restrictions. By manipulating the file update API, an attacker can craft requests that include directory traversal sequences (e.g., ../) to access files outside of the intended directory. This could lead to the exposure of sensitive configuration files, source code, database credentials, or other critical data stored on the server. The potential impact is significant, as an attacker could gain a deeper understanding of the system's architecture and potentially exploit other vulnerabilities.
CVE-2024-55947 was published on 2025-01-07. As of this date, there are no publicly known proof-of-concept exploits. The vulnerability is not currently listed on CISA KEV. The probability of exploitation is considered medium, given the ease of exploiting path traversal vulnerabilities and the potential for widespread impact.
Exploit Status
EPSS
79.35% (99% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-55947 is to upgrade gogs.io/gogs to version 0.13.1 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing temporary workarounds such as restricting file upload locations and carefully validating user input to prevent directory traversal attempts. Web application firewalls (WAFs) configured to detect and block directory traversal patterns can also provide an additional layer of protection. After upgrading, confirm the fix by attempting a file update request with a malicious path traversal sequence and verifying that access is denied.
Actualice Gogs a la versión 0.13.1 o posterior. Esta versión corrige la vulnerabilidad de path traversal que permite la escritura de archivos arbitrarios en el servidor. La actualización previene el acceso SSH no autorizado al servidor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-55947 is a Path Traversal vulnerability in gogs.io/gogs allowing attackers to read arbitrary files. It impacts versions before 0.13.1 and has a CVSS score of 8.8.
You are affected if you are running gogs.io/gogs versions prior to 0.13.1. Check your version and upgrade immediately.
Upgrade gogs.io/gogs to version 0.13.1 or later to patch the vulnerability. Consider temporary workarounds like restricting file upload locations if immediate upgrade is not possible.
As of 2025-01-07, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants caution.
Refer to the official gogs.io/gogs release notes and security advisories on their website for details and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.