Lucene search

GitHub Advisory DatabaseGHSA-FHV8-M4J4-CWW2

HistoryAug 13, 2022 - 12:00 a.m.

Gitea allowed assignment of private issues

2022-08-1300:00:25

CWE-732

GitHub Advisory Database

github.com

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

7 High

AI Score

Confidence

Low

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

52.4%

JSON

In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles.

CPENameOperatorVersion
code.gitea.io/gitealt1.16.9

CPE	Name	Operator	Version
	code.gitea.io/gitea	lt	1.16.9

References

blog.gitea.io/2022/07/gitea-1.16.9-is-released

github.com/advisories/GHSA-fhv8-m4j4-cww2

github.com/go-gitea/gitea/pull/20133

github.com/go-gitea/gitea/pull/20196

herolab.usd.de/security-advisories/usd-2022-0015

nvd.nist.gov/vuln/detail/CVE-2022-38183

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

7 High

AI Score

Confidence

Low

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

52.4%

JSON

Related for GHSA-FHV8-M4J4-CWW2