CVE-2022-0871 – CVE-2022-0871 is a missing authorization vulner... (How to Fix)

Q: What is the severity of CVE-2022-0871?

CVE-2022-0871 has a CVSS score of 9.1 (CRITICAL). CVE-2022-0871 is a missing authorization vulnerability in Gogs (a self-hosted Git service) that allows attackers to bypass authentication and access unauthorized repositories. This affects all Gogs instances running versions prior to 0.12.5. Attackers can exploit this to view private repositories they shouldn't have access to.

📋 TL;DR

CVE-2022-0871 is a missing authorization vulnerability in Gogs (a self-hosted Git service) that allows attackers to bypass authentication and access unauthorized repositories. This affects all Gogs instances running versions prior to 0.12.5. Attackers can exploit this to view private repositories they shouldn't have access to.

💻 Affected Systems

Products:

Gogs (Go Git Service)

Versions: All versions prior to 0.12.5

Operating Systems: All platforms running Gogs

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Gogs deployments regardless of configuration. The vulnerability is in the core authorization logic.

📦 What is this software?

Gogs by Gogs

View all CVEs affecting Gogs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all private repositories, including sensitive source code, credentials, and intellectual property exposure.

🟠

Likely Case

Unauthorized access to private repositories leading to source code theft, credential harvesting, and potential supply chain attacks.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, but still exposes repository contents to unauthorized users.

🌐 Internet-Facing: HIGH - Internet-facing Gogs instances are directly exploitable without authentication.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable but require network access; insider threats remain a concern.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit - attackers can access unauthorized repositories via crafted HTTP requests. Public proof-of-concept code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.12.5 and later

Vendor Advisory: https://github.com/gogs/gogs/security/advisories/GHSA-4h98-2769-gh6h

Restart Required: Yes

Instructions:

1. Backup your Gogs data and configuration. 2. Stop the Gogs service. 3. Update to version 0.12.5 or later using your package manager or by downloading from GitHub. 4. Restart the Gogs service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Gogs instance to trusted IPs only

# Using iptables (Linux): iptables -A INPUT -p tcp --dport 3000 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP

Reverse Proxy Authentication

all

Place Gogs behind a reverse proxy with additional authentication layer

# Example nginx config with basic auth
location / {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;
    proxy_pass http://localhost:3000;
}

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit access to Gogs instance
Enable audit logging and monitor for unauthorized repository access attempts

🔍 How to Verify

Check if Vulnerable:

Check Gogs version via web interface (Admin Panel → Configuration) or command line: ./gogs --version

Check Version:

./gogs --version

Verify Fix Applied:

Verify version is 0.12.5 or later and test that unauthorized users cannot access private repositories

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to private repositories
HTTP 200 responses for repository access from unauthenticated users
Access patterns showing users viewing repositories they don't have permissions for

Network Indicators:

Unusual HTTP GET requests to repository endpoints from unauthorized IPs
Increased traffic to /:username/:reponame.git endpoints

SIEM Query:

source="gogs.log" AND (http_status=200) AND (user="anonymous" OR auth_method="none") AND uri="/.*/.*.git"

📊 Metadata

CVE ID: CVE-2022-0871

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-862

Published: March 11, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/gogs/gogs/commit/64102be2c90e1b47dbdd379873ba76c80d4b0e78 Patch,Third Party Advisory
https://huntr.dev/bounties/ea82cfc9-b55c-41fe-ae58-0d0e0bd7ab62 Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/gogs/gogs/commit/64102be2c90e1b47dbdd379873ba76c80d4b0e78 Patch,Third Party Advisory
https://huntr.dev/bounties/ea82cfc9-b55c-41fe-ae58-0d0e0bd7ab62 Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0871, you might also want to check these: