CVE-2024-54148

CRITICAL

Gogs - Path Traversal

Title source: llm

Description

Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1.

References (4)

[Exploit, Vendor Advisory] https://github.com/gogs/gogs/security/advisories/GHSA-r7j8-5h9c-f6fx

[Issue Tracking] https://github.com/gogs/gogs/issues/7582

[Patch] https://github.com/gogs/gogs/pull/7857

[Patch] https://github.com/gogs/gogs/commit/c94baec9ca923f38c19f0c7c5af722b9ec04022a

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0047

EPSS Percentile 64.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-22 CWE-61

Status published

Products (2)

gogs/gogs < 0.13.1

gogs.io/gogs 0 - 0.13.1Go

Published Dec 23, 2024

Tracked Since Feb 18, 2026