CVE-2022-1285
published 2026-06-24CVE-2022-1285: Gogs is an open source self-hosted Git service. Prior to 0.14.3, the fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a…
PriorityP432medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
EPSS
1.19%
64.1th percentile
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs. This vulnerability is fixed in 0.14.3.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gogs.io | gogs | >= 0 < 0.12.8 | 0.12.8 |
| gogs.io | gogs | >= 0 < 0.14.3 | 0.14.3 |
| gogs | gogs | < 0.14.3 | 0.14.3 |
| gogs | gogs | < 0.12.8 | 0.12.8 |
| juniper | junos_os | — | — |
| juniper | qfx_series | — | — |
| juniper | srx_series | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv3.08.3HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
ghsa6.5MEDIUM
vendor_oracle9.8CRITICAL
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Gogs has SSRF in webhook deliveries
ghsa·2026-06-22·CVSS 6.5
CVE-2026-47267 [MEDIUM] CWE-918 Gogs has SSRF in webhook deliveries
Gogs has SSRF in webhook deliveries
### Summary
The fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs.
This was already communicated in the initial report but it looks like there was a bit of a miscommunication.
### Details
By creating a webook pointing to any URL that will return the following:
```
HTTP/1.1 301 Moved Permanently
Location: http://169.254.169.254/metadata/v1.json
Content-Length: 0
Connection: close
```
It is possible to access 169.254.169.254
### PoC
1. Run netcat on any server
2. Use this server as the webhook URL
3. Once you get the request from the webhook (for example by testing it), copy the response above
OSV
Server-Side Request Forgery in gogs webhook in gogs.io/gogs
osv·2024-08-21
CVE-2022-1285 Server-Side Request Forgery in gogs webhook in gogs.io/gogs
Server-Side Request Forgery in gogs webhook in gogs.io/gogs
Server-Side Request Forgery in gogs webhook in gogs.io/gogs
GHSA
Server-Side Request Forgery in gogs webhook
ghsa·2022-06-03
CVE-2022-1285 [HIGH] CWE-918 Server-Side Request Forgery in gogs webhook
Server-Side Request Forgery in gogs webhook
### Impact
The malicious user is able to discover services in the internal network through webhook functionality. All installations accepting public traffic are affected.
### Patches
Webhook payload URLs are revalidated before each delivery to make sure they are not resolved to blocked local network addresses. Users should upgrade to 0.12.8 or the latest 0.13.0+dev.
### Workarounds
Run Gogs in its own private network.
### References
https://huntr.dev/bounties/da1fbd6e-7a02-458e-9c2e-6d226c47046d/
### For more information
If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/6901.
OSV
Server-Side Request Forgery in gogs webhook
osv·2022-06-03
CVE-2022-1285 [HIGH] Server-Side Request Forgery in gogs webhook
Server-Side Request Forgery in gogs webhook
### Impact
The malicious user is able to discover services in the internal network through webhook functionality. All installations accepting public traffic are affected.
### Patches
Webhook payload URLs are revalidated before each delivery to make sure they are not resolved to blocked local network addresses. Users should upgrade to 0.12.8 or the latest 0.13.0+dev.
### Workarounds
Run Gogs in its own private network.
### References
https://huntr.dev/bounties/da1fbd6e-7a02-458e-9c2e-6d226c47046d/
### For more information
If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/6901.
Red Hat
kernel: nvmet-tcp: add bounds check on Transfer Tag
vendor_redhat·2025-12-24·CVSS 6.1
CVE-2022-50717 [MEDIUM] CWE-1285 kernel: nvmet-tcp: add bounds check on Transfer Tag
kernel: nvmet-tcp: add bounds check on Transfer Tag
In the Linux kernel, the following vulnerability has been resolved:
nvmet-tcp: add bounds check on Transfer Tag
ttag is used as an index to get cmd in nvmet_tcp_handle_h2c_data_pdu(),
add a bounds check to avoid out-of-bounds access.
Package: kernel (Red Hat Enterprise Linux 10) - Not affected
Package: kernel (Red Hat Enterprise Linux 6) - Not affected
Package: kernel (Red Hat Enterprise Linux 7) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 7) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 8) - Fix deferred
Package: kernel-rt (Red Hat Enterprise Linux 9) - Fix deferred
Red Hat
kernel: fs: jfs: fix shift-out-of-bounds in dbDiscardAG
vendor_redhat·2025-09-15·CVSS 7.1
CVE-2022-50333 [HIGH] CWE-1285 kernel: fs: jfs: fix shift-out-of-bounds in dbDiscardAG
kernel: fs: jfs: fix shift-out-of-bounds in dbDiscardAG
In the Linux kernel, the following vulnerability has been resolved:
fs: jfs: fix shift-out-of-bounds in dbDiscardAG
This should be applied to most URSAN bugs found recently by syzbot,
by guarding the dbMount. As syzbot feeding rubbish into the bmap
descriptor.
Package: kernel (Red Hat Enterprise Linux 10) - Not affected
Package: kernel (Red Hat Enterprise Linux 6) - Out of support scope
Package: kernel (Red Hat Enterprise Linux 7) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 7) - Not affected
Package: kernel (Red Hat Enterprise Linux 8) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 8) - Not affected
Package: kernel (Red Hat Enterprise Linux 9) - Not affected
Package: kernel-rt (Red Hat Enterprise
Red Hat
kernel: ntfs3: unhandled page fault in fs/ntfs3/inode.c
vendor_redhat·2023-03-18·CVSS 7.8
CVE-2022-48424 [HIGH] CWE-1285 kernel: ntfs3: unhandled page fault in fs/ntfs3/inode.c
kernel: ntfs3: unhandled page fault in fs/ntfs3/inode.c
In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur.
Statement: Red Hat Enterprise Linux is not affected by this flaw as it does not include support for the NTFS3 file system driver.
Package: kernel (Red Hat Enterprise Linux 6) - Not affected
Package: kernel (Red Hat Enterprise Linux 7) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 7) - Not affected
Package: kernel (Red Hat Enterprise Linux 8) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 8) - Not affected
Package: kernel (Red Hat Enterprise Linux 9) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 9) - Not affected
Juniper
CVE-2022-22201: An Improper Validation of Specified Index, Position, or Offset in Input vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos
vendor_juniper·2022-10-18·CVSS 7.5
CVE-2022-22201 [HIGH] CWE-1285 CVE-2022-22201: An Improper Validation of Specified Index, Position, or Offset in Input vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos
CVE-2022-22201: An Improper Validation of Specified Index, Position, or Offset in Input vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows an unauthenticated network-based attacker to cause a Denial of Service (DoS). On SRX5000 Series with SPC3, SRX4000 Series, and vSRX, when PowerMode IPsec is configured and a malformed ESP packet matching an established IPsec tunnel is received the PFE crashes. This issue affects Juniper Networks Junos OS on SRX5000 Series with SPC3, SRX4000 Series, and vSRX: All versions prior to 19.4R2-S6, 19.4R3-S7; 20.1 versions prior to 20.1R3-S3; 20.2 versions prior to 20.2R3-S4; 20.3 versions prior to 20.3R3-S3; 20.4 versions prior to 20.4R3-S2; 21.1 versions prior to 21.1R3; 21.2 versions prior to 21.2R3; 21.3 versions prior t
Oracle
Oracle Oracle Enterprise Manager Risk Matrix: Application Service Level Management (Apache log4net) — CVE-2018-1285
vendor_oracle·2022-10-15·CVSS 9.8
CVE-2018-1285 [CRITICAL] Oracle Oracle Enterprise Manager Risk Matrix: Application Service Level Management (Apache log4net) — CVE-2018-1285
Oracle Oracle Enterprise Manager Risk Matrix: Application Service Level Management (Apache log4net) vulnerability
CVE: CVE-2018-1285
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2022 (OCT 2022)
Oracle
Oracle Oracle Enterprise Manager Risk Matrix: Load Testing for Web Apps (Apache log4net) — CVE-2018-1285
vendor_oracle·2022-04-15·CVSS 9.8
CVE-2018-1285 [CRITICAL] Oracle Oracle Enterprise Manager Risk Matrix: Load Testing for Web Apps (Apache log4net) — CVE-2018-1285
Oracle Oracle Enterprise Manager Risk Matrix: Load Testing for Web Apps (Apache log4net) vulnerability
CVE: CVE-2018-1285
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2022 (APR 2022)
No detection rules found.
No public exploits indexed.
2026-06-24
Published