CVE-2024-54148: 
Gogs vulnerability analysis and mitigation

Gogs, an open source self-hosted Git service, was found to contain a critical security vulnerability (CVE-2024-54148) that allows malicious users to gain unauthorized SSH access to the server. The vulnerability was discovered and disclosed in December 2024, affecting all versions prior to 0.13.1. The issue stems from the ability to commit and edit crafted symlink files to repositories (GitHub Advisory).

The vulnerability is classified with a CVSS v4.0 base score of 8.7 (HIGH) and CVSS v3.1 score of 9.8 (CRITICAL). The technical root cause involves improper handling of symbolic links during file editing operations, specifically when changing file names. The vulnerability is categorized under CWE-22 (Path Traversal) and CWE-61 (UNIX Symbolic Link Following) (NVD, GitHub Advisory).

When exploited, this vulnerability allows attackers to gain unauthorized SSH access to the server through manipulation of symbolic links. The attack can lead to server compromise and potential access to sensitive data. The critical CVSS score of 9.8 indicates the severe potential impact of this vulnerability (Security Online).

The vulnerability has been patched in Gogs version 0.13.1. The fix involves prohibiting the editing of symlinks while changing file names via the repository web editor. For affected versions, there is no viable workaround available, and administrators are advised to only grant access to trusted users. The recommended action is to upgrade to version 0.13.1 or the latest 0.14.0+dev (GitHub Advisory).