平台
go
组件
gogs.io/gogs
修复版本
0.12.8
0.12.8
CVE-2022-1285 is a Server-Side Request Forgery (SSRF) vulnerability discovered in gogs.io/gogs, a self-hosted Git service. This flaw allows an attacker to manipulate the application into making HTTP requests to arbitrary destinations, potentially exposing sensitive internal resources or performing unauthorized actions. The vulnerability impacts versions of gogs.io/gogs released before 0.12.8, and a patch is available.
The SSRF vulnerability in gogs.io/gogs allows an attacker to craft malicious webhook payloads that trigger the server to make requests to internal services or external websites. This could lead to the exposure of sensitive data stored within the gogs instance, such as repository contents, user credentials, or configuration files. An attacker could also leverage this vulnerability to scan the internal network for open ports and services, potentially identifying other vulnerable systems. The blast radius extends to any internal resources accessible via HTTP from the gogs server, and external resources if the server is configured to allow outbound connections.
CVE-2022-1285 was publicly disclosed on August 21, 2024. There is no indication of active exploitation at this time. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 8.3 (HIGH) reflects the potential impact of SSRF vulnerabilities.
Organizations using gogs.io/gogs for self-hosted Git repositories are at risk, particularly those with internal services accessible via HTTP. Legacy gogs installations and deployments with overly permissive webhook configurations are especially vulnerable.
• linux / server:
journalctl -u gogs | grep -i "server-side request forgery"• generic web:
curl -I <gogs_url>/hooks/github/your_webhook_url | grep -i "Location:"disclosure
漏洞利用状态
EPSS
0.63% (70% 百分位)
CVSS 向量
The primary mitigation for CVE-2022-1285 is to upgrade to version 0.12.8 or later of gogs.io/gogs. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) to filter outbound HTTP requests from the gogs server, blocking requests to suspicious or unauthorized domains. Additionally, restrict network access to the gogs server to only necessary ports and services. Review and tighten webhook configurations to prevent malicious payloads from being processed. After upgrade, confirm by verifying the gogs version is 0.12.8 or higher.
将 Gogs 更新到 0.12.8 或更高版本。此版本包含 SSRF 漏洞的修复。有关更新的更多详细信息,请参阅版本说明和变更日志。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2022-1285 is a Server-Side Request Forgery vulnerability in gogs.io/gogs, allowing attackers to make HTTP requests through the server, potentially exposing internal resources. It has a HIGH severity rating.
You are affected if you are using gogs.io/gogs versions prior to 0.12.8. Check your version and upgrade immediately if vulnerable.
Upgrade to version 0.12.8 or later of gogs.io/gogs. Consider implementing a WAF as a temporary mitigation if an upgrade is not immediately possible.
There is currently no evidence of active exploitation of CVE-2022-1285, but it is crucial to apply the patch promptly.
Refer to the gogs.io security advisories page for the latest information and updates regarding CVE-2022-1285: https://gogs.io/security
上传你的 go.mod 文件,立即知道是否受影响。