Server-side Request Forgery (SSRF) Affecting code.gitea.io/gitea/modules/setting package, versions <1.16.0
Snyk CVSS
Attack Complexity
Low
Scope
Changed
Confidentiality
High
Threat Intelligence
EPSS
0.14% (49th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-CODEGITEAIOGITEAMODULESSETTING-2849634
- published 6 Jun 2022
- disclosed 23 May 2022
- credit Wenxu Wu
Introduced: 23 May 2022
CVE-2018-15192 Open this link in a new tabHow to fix?
Upgrade code.gitea.io/gitea/modules/setting
to version 1.16.0 or higher.
Overview
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to improper user input validation. Exploiting this vulnerability allows an attacker to set the URL of webhooks
to an internal address.