GHSA-q347-cg56-pcq4: 
vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in Gogs repository migration functionality, identified as GHSA-q347-cg56-pcq4 and CVE-2022-0870. The vulnerability affects Gogs versions prior to 0.12.5, with the issue being publicly disclosed on March 12, 2022. This security flaw impacts all Gogs installations that accept public traffic (GitHub Advisory).

The vulnerability is classified as CWE-918 and received a CVSS v3.0 score of 5.0 (Moderate severity). The CVSS metrics indicate a network attack vector with low attack complexity, requiring low privileges and no user interaction. The scope is changed with low confidentiality impact, while integrity and availability impacts are none (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) (GitHub Advisory).

The vulnerability allows malicious users to discover services in the internal network through the repository migration functionality. This capability could potentially expose sensitive internal network services to unauthorized users (GitHub Advisory).

The vulnerability has been patched in version 0.12.5, where internal network CIDRs are prohibited from being used as repository migration targets. Users are advised to upgrade to version 0.12.5 or the latest 0.13.0+dev. As a workaround, administrators can run Gogs in its own private network to minimize exposure (GitHub Advisory).