CVE-2022-0870

MEDIUM5.0EPSS 11.7%

SSRF in repository migration

Published: 3/12/2022Modified: 8/21/2024

Also known as:GHSA-7v5r-r995-q2x2GO-2022-0566

Description

Gogs is a self-hosted Git service. The malicious user is able to discover services in the internal network through repository migration functionality. All installations accepting public traffic are affected. Internal network CIDRs are prohibited to be used as repository migration targets. Users should upgrade to 0.12.5 or the latest 0.13.0+dev. Gogs should be ran in its own private network until users can update.

Affected packages (2)

Go/gogs.io/gogsfrom 0, < 0.12.5
Go/gogs.io/gogsfrom 0, < 0.12.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.0	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

References (5)

ADVISORYhttps://github.com/advisories/GHSA-7v5r-r995-q2x2
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-0870
PATCHhttps://github.com/gogs/gogs
WEBhttps://github.com/gogs/gogs/commit/91f2cde5e95f146bfe4765e837e7282df6c7cabb
WEBhttps://huntr.dev/bounties/327797d7-ae41-498f-9bff-cc0bf98cf531