CVE-2014-8682

Name of the Vulnerable Software and Affected Versions Gogs versions 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the q parameter to two API endpoints: "api/v1/repos/search" and "api/v1/users/search". The "api/v1/repos/search" endpoint is not properly handled in models/repo.go, while the "api/v1/users/search" endpoint is not properly handled in models/user.go.

Recommendations For versions 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta, update to version 0.5.6.1105 Beta or later to resolve the issue. As a temporary workaround, consider restricting access to the "api/v1/repos/search" and "api/v1/users/search" endpoints to minimize the risk of exploitation. Avoid using the q parameter in these affected API endpoints until the issue is resolved.