Disclosure Date 2021/08/31

CVE-2021-32408

Server-Side Request Forgery (SSRF) in Gogs

GogsにおけるSSRF(サーバサイドリクエストフォージェリ)

Credit

stypr (@stereotype32)

Affected-Versions

  • v0.12.3 and earlier

CWE

CWE-93

Description

Server-Side Request Forgery (SSRF) vulnerability in Gogs 0.7.0 through 1.12.x before 1.12.3 does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in internal/form/repo.go.

Product-URLs

https://gogs.io/

Reference

  • https://github.com/gogs/gogs/issues/6413
  • https://github.com/gogs/gogs/pull/6420

Back