Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-8681 — SQL Injection in Gogits Gogs

CWE-89 — SQL Injection5 documents4 sources

Severity

7.5HIGHNVD

EPSS

6.5%

top 8.87%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Github.com Gogits Gogs Gogs.io Gogs Gogits Gogs

Timeline

PublishedNov 21

Latest updateJun 29

Description

SQL injection vulnerability in the GetIssues function in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.6.x before 0.5.6.1025 Beta allows remote attackers to execute arbitrary SQL commands via the label parameter to user/repos/issues.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶Gogogs.io/gogs0.3.1 — 0.5.8

▶Gogithub.com/gogits_gogs0.3.1 — 0.5.8+1

▶NVDgogits/gogs0.5.5+5

🔴Vulnerability Details

OSV

SQL Injection in gogs.io/gogs↗2021-06-29

▶

GHSA

SQL Injection in gogs.io/gogs↗2021-06-29

▶

OSV

SQL Injection in github.com/gogits/gogs↗2021-04-14

▶

💥Exploits & PoCs

Exploit-DB

Gogs - 'label' SQL Injection↗2014-11-14

▶