CVE-2024-55947
Published: 23 December 2024
Summary
CVE-2024-55947 is a high-severity Path Traversal (CWE-22) vulnerability in Gogs Gogs. Its CVSS base score is 8.7 (High).
Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Gogs, an open source self-hosted Git service, is affected by CVE-2024-55947, a path traversal vulnerability (CWE-22) that permits a malicious user to write a file to an arbitrary path on the server. The issue carries a CVSS 4.0 score of 8.7 and was fixed in release 0.13.1.
An authenticated attacker can leverage the flaw to place an SSH key or other file in a location that grants remote command execution on the underlying server, achieving full host access without requiring additional privileges or user interaction.
The official GitHub security advisory and linked commit 9a9388ace25bd646f5098cb9193d983332c34e41 describe the patch that resolves the arbitrary file write; administrators are advised to upgrade promptly to 0.13.1 or later.
The EPSS score currently stands at 0.7568 with a recorded peak of 0.8253, reflecting sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-3608
Vulnerability details
Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.