x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-w689-557m-2cvq

[julieqiu]

In GitHub Security Advisory GHSA-w689-557m-2cvq, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
gogs.io/gogs	0.12.8	< 0.12.8

See doc/triage.md for instructions on how to triage this report.

packages:
  - package: gogs.io/gogs
    versions:
      - fixed: 0.12.8
description: |
    ### Impact

    The malicious user is able to discover services in the internal network through webhook functionality. All installations accepting public traffic are affected.

    ### Patches

    Webhook payload URLs are revalidated before each delivery to make sure they are not resolved to blocked local network addresses. Users should upgrade to 0.12.8 or the latest 0.13.0+dev.

    ### Workarounds

    Run Gogs in its own private network.

    ### References

    https://huntr.dev/bounties/da1fbd6e-7a02-458e-9c2e-6d226c47046d/

    ### For more information

    If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/6901.
published: 2022-06-03T15:35:32Z
last_modified: 2022-06-03T15:35:33Z
cves:
  - CVE-2022-1285
ghsas:
  - GHSA-w689-557m-2cvq
links:
    context:
      - https://github.com/advisories/GHSA-w689-557m-2cvq

[tatianab]

Code is not importable

[gopherbot]

Change https://go.dev/cl/592769 mentions this issue: data/reports: unexclude 50 reports

[gopherbot]

Change https://go.dev/cl/607221 mentions this issue: data/reports: unexclude 20 reports (19)