Plateforme
go
Composant
gogs.io/gogs
Corrigé dans
0.12.8
0.12.8
CVE-2022-1285 is a Server-Side Request Forgery (SSRF) vulnerability discovered in gogs.io/gogs, a self-hosted Git service. This flaw allows an attacker to manipulate the application into making HTTP requests to arbitrary destinations, potentially exposing sensitive internal resources or performing unauthorized actions. The vulnerability impacts versions of gogs.io/gogs released before 0.12.8, and a patch is available.
The SSRF vulnerability in gogs.io/gogs allows an attacker to craft malicious webhook payloads that trigger the server to make requests to internal services or external websites. This could lead to the exposure of sensitive data stored within the gogs instance, such as repository contents, user credentials, or configuration files. An attacker could also leverage this vulnerability to scan the internal network for open ports and services, potentially identifying other vulnerable systems. The blast radius extends to any internal resources accessible via HTTP from the gogs server, and external resources if the server is configured to allow outbound connections.
CVE-2022-1285 was publicly disclosed on August 21, 2024. There is no indication of active exploitation at this time. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 8.3 (HIGH) reflects the potential impact of SSRF vulnerabilities.
Organizations using gogs.io/gogs for self-hosted Git repositories are at risk, particularly those with internal services accessible via HTTP. Legacy gogs installations and deployments with overly permissive webhook configurations are especially vulnerable.
• linux / server:
journalctl -u gogs | grep -i "server-side request forgery"• generic web:
curl -I <gogs_url>/hooks/github/your_webhook_url | grep -i "Location:"disclosure
Statut de l'Exploit
EPSS
0.63% (percentile 70%)
Vecteur CVSS
The primary mitigation for CVE-2022-1285 is to upgrade to version 0.12.8 or later of gogs.io/gogs. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) to filter outbound HTTP requests from the gogs server, blocking requests to suspicious or unauthorized domains. Additionally, restrict network access to the gogs server to only necessary ports and services. Review and tighten webhook configurations to prevent malicious payloads from being processed. After upgrade, confirm by verifying the gogs version is 0.12.8 or higher.
Mettez à jour Gogs à la version 0.12.8 ou supérieure. Cette version contient la correction pour la vulnérabilité SSRF (SSRF). Consultez les notes de version et le journal des modifications pour plus de détails sur la mise à jour.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2022-1285 is a Server-Side Request Forgery vulnerability in gogs.io/gogs, allowing attackers to make HTTP requests through the server, potentially exposing internal resources. It has a HIGH severity rating.
You are affected if you are using gogs.io/gogs versions prior to 0.12.8. Check your version and upgrade immediately if vulnerable.
Upgrade to version 0.12.8 or later of gogs.io/gogs. Consider implementing a WAF as a temporary mitigation if an upgrade is not immediately possible.
There is currently no evidence of active exploitation of CVE-2022-1285, but it is crucial to apply the patch promptly.
Refer to the gogs.io security advisories page for the latest information and updates regarding CVE-2022-1285: https://gogs.io/security
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier go.mod et nous te dirons instantanément si tu es affecté.