Summary
Gogs (Go Git Service) is prone to multiple vulnerabilities.
Impact
Unauthenicated attackers can exploit this vulnerabilities to perfom an XSS attack or execute arbitrary SQL commands which may lead to a complete compromise of the database.
Solution
Update to version 0.5.8 or later.
Insight
The installed Gogs version is prone to the following vulnerabilities:
CVE-2014-8681:
SQL injection vulnerability in the GetIssues function in models/issue.go.
CVE-2014-8682:
Multiple SQL injection vulnerabilities in the q parameter of api/v1/repos/search, which is not properly handled in models/repo.go and in api/v1/users/search, which is not properly handled in models/user.go.
CVE-2014-8683:
Cross-site scripting (XSS) vulnerability in models/issue.go.
Affected
Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.8
Detection
Check the version
References
- http://gogs.io/docs/intro/change_log.html
- http://packetstormsecurity.com/files/129116/Gogs-Label-Search-Blind-SQL-Injection.html
- http://packetstormsecurity.com/files/129117/Gogs-Repository-Search-SQL-Injection.html
- http://packetstormsecurity.com/files/129118/Gogs-Markdown-Renderer-Cross-Site-Scripting.html
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-8681, CVE-2014-8682, CVE-2014-8683 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities