0.12.8
0.12.8
CVE-2022-1285 is a Server-Side Request Forgery (SSRF) vulnerability discovered in gogs.io/gogs, a self-hosted Git service. This flaw allows an attacker to manipulate the application into making HTTP requests to arbitrary destinations, potentially exposing sensitive internal resources or performing unauthorized actions. The vulnerability impacts versions of gogs.io/gogs released before 0.12.8, and a patch is available.
The SSRF vulnerability in gogs.io/gogs allows an attacker to craft malicious webhook payloads that trigger the server to make requests to internal services or external websites. This could lead to the exposure of sensitive data stored within the gogs instance, such as repository contents, user credentials, or configuration files. An attacker could also leverage this vulnerability to scan the internal network for open ports and services, potentially identifying other vulnerable systems. The blast radius extends to any internal resources accessible via HTTP from the gogs server, and external resources if the server is configured to allow outbound connections.
CVE-2022-1285 was publicly disclosed on August 21, 2024. There is no indication of active exploitation at this time. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 8.3 (HIGH) reflects the potential impact of SSRF vulnerabilities.
Exploit Status
EPSS
0.63% (70% percentile)
CVSS Vector
The primary mitigation for CVE-2022-1285 is to upgrade to version 0.12.8 or later of gogs.io/gogs. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) to filter outbound HTTP requests from the gogs server, blocking requests to suspicious or unauthorized domains. Additionally, restrict network access to the gogs server to only necessary ports and services. Review and tighten webhook configurations to prevent malicious payloads from being processed. After upgrade, confirm by verifying the gogs version is 0.12.8 or higher.
Update Gogs to version 0.12.8 or higher. This version contains the fix for the SSRF vulnerability. See the release notes and changelog for more details about the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-1285 is a Server-Side Request Forgery vulnerability in gogs.io/gogs, allowing attackers to make HTTP requests through the server, potentially exposing internal resources. It has a HIGH severity rating.
You are affected if you are using gogs.io/gogs versions prior to 0.12.8. Check your version and upgrade immediately if vulnerable.
Upgrade to version 0.12.8 or later of gogs.io/gogs. Consider implementing a WAF as a temporary mitigation if an upgrade is not immediately possible.
There is currently no evidence of active exploitation of CVE-2022-1285, but it is crucial to apply the patch promptly.
Refer to the gogs.io security advisories page for the latest information and updates regarding CVE-2022-1285: https://gogs.io/security
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.