Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03djVyLXI5OTUtcTJ4Ms0yUQ
SSRF in repository migration
Gogs is a self-hosted Git service. The malicious user is able to discover services in the internal network through repository migration functionality. All installations accepting public traffic are affected. Internal network CIDRs are prohibited to be used as repository migration targets. Users should upgrade to 0.12.5 or the latest 0.13.0+dev. Gogs should be ran in its own private network until users can update.
Permalink: https://github.com/advisories/GHSA-7v5r-r995-q2x2JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03djVyLXI5OTUtcTJ4Ms0yUQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: about 1 year ago
CVSS Score: 5.0
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Identifiers: GHSA-7v5r-r995-q2x2, CVE-2022-0870
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-0870
- https://github.com/gogs/gogs/commit/91f2cde5e95f146bfe4765e837e7282df6c7cabb
- https://huntr.dev/bounties/327797d7-ae41-498f-9bff-cc0bf98cf531
- https://github.com/advisories/GHSA-7v5r-r995-q2x2
Affected Packages
go:gogs.io/gogs
Dependent packages: 2Dependent repositories: 1
Downloads:
Affected Version Ranges: < 0.12.5
Fixed in: 0.12.5
All affected versions: 0.2.0, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.2, 0.5.5, 0.5.8, 0.5.9, 0.5.11, 0.5.13, 0.6.0, 0.6.1, 0.6.3, 0.6.5, 0.6.9, 0.6.15, 0.7.0, 0.7.6, 0.7.19, 0.7.22, 0.7.33, 0.8.0, 0.8.10, 0.8.25, 0.8.43, 0.9.0, 0.9.13, 0.9.46, 0.9.48, 0.9.60, 0.9.71, 0.9.97, 0.9.113, 0.9.128, 0.9.141, 0.10.1, 0.10.8, 0.10.18, 0.11.4, 0.11.19, 0.11.29, 0.11.33, 0.11.34, 0.11.43, 0.11.53, 0.11.66, 0.11.79, 0.11.86, 0.11.91, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4
All unaffected versions: 0.12.5, 0.12.6, 0.12.7, 0.12.8, 0.12.9, 0.12.10, 0.12.11, 0.13.0