Skip to content

SQL Injection in gogs.io/gogs

Moderate severity GitHub Reviewed Published Jun 29, 2021 to the GitHub Advisory Database • Updated Aug 29, 2023

Package

gomod github.com/gogits/gogs (Go)

Affected versions

>= 0.3.1, < 0.5.8

Patched versions

0.5.8
gomod gogs.io/gogs (Go)
>= 0.3.1, < 0.5.8
0.5.8

Description

SQL injection vulnerability in the GetIssues function in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.6.x before 0.5.6.1025 Beta allows remote attackers to execute arbitrary SQL commands via the label parameter to user/repos/issues.

References

Reviewed May 19, 2021
Published to the GitHub Advisory Database Jun 29, 2021
Last updated Aug 29, 2023

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

Weaknesses

CVE ID

CVE-2014-8681

GHSA ID

GHSA-mr6h-chqp-p9g2

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.