Lucene search

Veracode Vulnerability DatabaseVERACODE:4156

HistoryMay 03, 2017 - 8:30 a.m.

SQL Injection

2017-05-0308:30:55

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

github.com/gogits/gogs is vulnerable to SQL injection attacks. These attacks are possible through the label parameter given to the GetIssues function in models/issue.go

CPENameOperatorVersion
github.com/gogits/gogseqHEAD
github.com/gogits/gogsle0.5.7

CPE	Name	Operator	Version
	github.com/gogits/gogs	eq	HEAD
	github.com/gogits/gogs	le	0.5.7

References

gogs.io/docs/intro/change_log.html

packetstormsecurity.com/files/129116/Gogs-Label-Search-Blind-SQL-Injection.html

seclists.org/fulldisclosure/2014/Nov/31

www.exploit-db.com/exploits/35237

exchange.xforce.ibmcloud.com/vulnerabilities/98695

github.com/gogits/gogs/commit/83283bca4cb4e0f4ec48a28af680f0d88db3d2c8

www.exploit-db.com/exploits/35237/

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

Related for VERACODE:4156