CVE-2024-44625: 
Gogs vulnerability analysis and mitigation

Gogs version 0.13.0 and earlier contains a Directory Traversal vulnerability (CVE-2024-44625) in the editFilePost function of internal/route/repo/editor.go. The vulnerability was discovered and reported on August 10, 2024, and affects the latest version of Gogs at the time of disclosure (Fysac Blog).

The vulnerability exists in the web editor functionality that allows users to modify and rename repository files directly from the web interface. While the code includes protection against traditional path traversal attacks, it fails to properly handle symbolic link following when combined with file renaming. The vulnerability received a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows an authenticated attacker with repository access to achieve remote code execution on the server. This is possible by exploiting the symbolic link path traversal to modify arbitrary files on the system, including server-side Git hooks which are automatically executed (Fysac Blog).

As the vulnerability remains unpatched, users are advised to: disable public access and user registration, set strong passwords, enable 2FA for existing accounts, and consider migrating to Gitea, which is an actively maintained fork not affected by this vulnerability (Fysac Blog).

The vulnerability was reported through GitHub's advisory system but remained unacknowledged by the Gogs developers despite multiple follow-ups. This appears to be part of a broader pattern, as there is an open issue tracking several other high and critical vulnerabilities left unpatched due to lack of response from the Gogs developers (Fysac Blog).