CVE-2022-0870 – gogs.io/gogs

Package

Manager: go
Name: gogs.io/gogs
Vulnerable Version: >=0 <0.12.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

EPSS: 0.05466 pctl0.89814

Details

SSRF in repository migration Gogs is a self-hosted Git service. The malicious user is able to discover services in the internal network through repository migration functionality. All installations accepting public traffic are affected. Internal network CIDRs are prohibited to be used as repository migration targets. Users should upgrade to 0.12.5 or the latest 0.13.0+dev. Gogs should be ran in its own private network until users can update.

Metadata

Created: 2022-03-12T00:00:34Z
Modified: 2022-03-24T23:23:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-7v5r-r995-q2x2/GHSA-7v5r-r995-q2x2.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-7v5r-r995-q2x2
Finding: F100
Auto approve: 1