Plattform
go
Komponente
gogs.io/gogs
Behoben in
0.12.8
0.12.8
CVE-2022-1285 is a Server-Side Request Forgery (SSRF) vulnerability discovered in gogs.io/gogs, a self-hosted Git service. This flaw allows an attacker to manipulate the application into making HTTP requests to arbitrary destinations, potentially exposing sensitive internal resources or performing unauthorized actions. The vulnerability impacts versions of gogs.io/gogs released before 0.12.8, and a patch is available.
The SSRF vulnerability in gogs.io/gogs allows an attacker to craft malicious webhook payloads that trigger the server to make requests to internal services or external websites. This could lead to the exposure of sensitive data stored within the gogs instance, such as repository contents, user credentials, or configuration files. An attacker could also leverage this vulnerability to scan the internal network for open ports and services, potentially identifying other vulnerable systems. The blast radius extends to any internal resources accessible via HTTP from the gogs server, and external resources if the server is configured to allow outbound connections.
CVE-2022-1285 was publicly disclosed on August 21, 2024. There is no indication of active exploitation at this time. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 8.3 (HIGH) reflects the potential impact of SSRF vulnerabilities.
Organizations using gogs.io/gogs for self-hosted Git repositories are at risk, particularly those with internal services accessible via HTTP. Legacy gogs installations and deployments with overly permissive webhook configurations are especially vulnerable.
• linux / server:
journalctl -u gogs | grep -i "server-side request forgery"• generic web:
curl -I <gogs_url>/hooks/github/your_webhook_url | grep -i "Location:"disclosure
Exploit-Status
EPSS
0.63% (70% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2022-1285 is to upgrade to version 0.12.8 or later of gogs.io/gogs. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) to filter outbound HTTP requests from the gogs server, blocking requests to suspicious or unauthorized domains. Additionally, restrict network access to the gogs server to only necessary ports and services. Review and tighten webhook configurations to prevent malicious payloads from being processed. After upgrade, confirm by verifying the gogs version is 0.12.8 or higher.
Aktualisieren Sie Gogs auf Version 0.12.8 oder höher. Diese Version enthält die Korrektur für die SSRF (Server-Side Request Forgery) Vulnerabilität. Weitere Details zur Aktualisierung finden Sie in den Versionshinweisen und dem Änderungsprotokoll.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2022-1285 is a Server-Side Request Forgery vulnerability in gogs.io/gogs, allowing attackers to make HTTP requests through the server, potentially exposing internal resources. It has a HIGH severity rating.
You are affected if you are using gogs.io/gogs versions prior to 0.12.8. Check your version and upgrade immediately if vulnerable.
Upgrade to version 0.12.8 or later of gogs.io/gogs. Consider implementing a WAF as a temporary mitigation if an upgrade is not immediately possible.
There is currently no evidence of active exploitation of CVE-2022-1285, but it is crucial to apply the patch promptly.
Refer to the gogs.io security advisories page for the latest information and updates regarding CVE-2022-1285: https://gogs.io/security
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.