logo

Database

Server-side request forgery (SSRF) In gogs.io/gogs

Description

SSRF in repository migration

Impact

The malicious user is able to discover services in the internal network through repository migration functionality. All installations accepting public traffic are affected.

Patches

Internal network CIDRs are prohibited to be used as repository migration targets. Users should upgrade to 0.12.5 or the latest 0.13.0+dev.

Workarounds

Run Gogs in its own private network.

References

https://www.huntr.dev/bounties/327797d7-ae41-498f-9bff-cc0bf98cf531/

For more information

If you have any questions or comments about this advisory, please post on #6754.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-q347-cg56-pcq42. GCVE-GHSA-q347-cg56-pcq4

References

1. https://github.com/gogs/gogs/security/advisories/GHSA-q347-cg56-pcq42. https://www.huntr.dev/bounties/327797d7-ae41-498f-9bff-cc0bf98cf531

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-MLVN4 – Vulnerability | Fluid Attacks Database