Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS03djVyLXI5OTUtcTJ4Ms0yUQ

SSRF in repository migration

Gogs is a self-hosted Git service. The malicious user is able to discover services in the internal network through repository migration functionality. All installations accepting public traffic are affected. Internal network CIDRs are prohibited to be used as repository migration targets. Users should upgrade to 0.12.5 or the latest 0.13.0+dev. Gogs should be ran in its own private network until users can update.

Permalink: https://github.com/advisories/GHSA-7v5r-r995-q2x2
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03djVyLXI5OTUtcTJ4Ms0yUQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: about 1 year ago


CVSS Score: 5.0
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Identifiers: GHSA-7v5r-r995-q2x2, CVE-2022-0870
References: Repository: https://github.com/gogs/gogs

Affected Packages

go:gogs.io/gogs
Dependent packages: 2
Dependent repositories: 1
Downloads:
Affected Version Ranges: < 0.12.5
Fixed in: 0.12.5
All affected versions: 0.2.0, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.2, 0.5.5, 0.5.8, 0.5.9, 0.5.11, 0.5.13, 0.6.0, 0.6.1, 0.6.3, 0.6.5, 0.6.9, 0.6.15, 0.7.0, 0.7.6, 0.7.19, 0.7.22, 0.7.33, 0.8.0, 0.8.10, 0.8.25, 0.8.43, 0.9.0, 0.9.13, 0.9.46, 0.9.48, 0.9.60, 0.9.71, 0.9.97, 0.9.113, 0.9.128, 0.9.141, 0.10.1, 0.10.8, 0.10.18, 0.11.4, 0.11.19, 0.11.29, 0.11.33, 0.11.34, 0.11.43, 0.11.53, 0.11.66, 0.11.79, 0.11.86, 0.11.91, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4
All unaffected versions: 0.12.5, 0.12.6, 0.12.7, 0.12.8, 0.12.9, 0.12.10, 0.12.11, 0.13.0