CVE-2022-0870
published 2022-03-11CVE-2022-0870: Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.5.
PriorityP339medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
3.42%
87.4th percentile
Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.5.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gogs.io | gogs | >= 0 < 0.12.5 | 0.12.5 |
| gogs | gogs | < 0.12.5 | 0.12.5 |
| gogs | gogs_gogs | >= unspecified < 0.12.5 | 0.12.5 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv3.05.0MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
SSRF in repository migration in gogs.io/gogs
osv·2024-08-21
CVE-2022-0870 SSRF in repository migration in gogs.io/gogs
SSRF in repository migration in gogs.io/gogs
SSRF in repository migration in gogs.io/gogs
OSV
SSRF in repository migration
osv·2022-03-12
CVE-2022-0870 [MEDIUM] SSRF in repository migration
SSRF in repository migration
Gogs is a self-hosted Git service. The malicious user is able to discover services in the internal network through repository migration functionality. All installations accepting public traffic are affected. Internal network CIDRs are prohibited to be used as repository migration targets. Users should upgrade to 0.12.5 or the latest 0.13.0+dev. Gogs should be ran in its own private network until users can update.
GHSA
SSRF in repository migration
ghsa·2022-03-12
CVE-2022-0870 [MEDIUM] CWE-918 SSRF in repository migration
SSRF in repository migration
Gogs is a self-hosted Git service. The malicious user is able to discover services in the internal network through repository migration functionality. All installations accepting public traffic are affected. Internal network CIDRs are prohibited to be used as repository migration targets. Users should upgrade to 0.12.5 or the latest 0.13.0+dev. Gogs should be ran in its own private network until users can update.
No detection rules found.
Nuclei
Gogs <0.12.5 - Server-Side Request Forgery
nuclei·CVSS 5.3
CVE-2022-0870 [MEDIUM] Gogs <0.12.5 - Server-Side Request Forgery
Gogs <0.12.5 - Server-Side Request Forgery
Gogs GitHub repository before 0.12.5 is susceptible to server-side request forgery. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Template:
id: CVE-2022-0870
info:
name: Gogs <0.12.5 - Server-Side Request Forgery
author: theamanrawat,Akincibor
severity: medium
description: |
Gogs GitHub repository before 0.12.5 is susceptible to server-side request forgery. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
impact: |
Successful exploitation of this vulnerability can result in unauthorized access to sensitive internal resources
No writeups or analysis indexed.
2022-03-11
Published