Lucene search

[email protected]NVD:CVE-2022-38183

HistoryAug 12, 2022 - 8:15 p.m.

CVE-2022-38183

2022-08-1220:15:09

CWE-862

[email protected]

web.nvd.nist.gov

gitea

vulnerability

issue assignment

access control

private issue titles

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

48.8%

JSON

In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles.

Affected configurations

Nvd

Node

giteagiteaRange<1.16.9

VendorProductVersionCPE
giteagitea*cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
gitea	gitea	*	cpe:2.3:a:gitea:gitea::::::::

References

blog.gitea.io/2022/07/gitea-1.16.9-is-released/

herolab.usd.de/security-advisories/usd-2022-0015/

security.gentoo.org/glsa/202210-14

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

48.8%

JSON

Related for NVD:CVE-2022-38183

osv4 github1 cvelist1 cve1 openvas1 ubuntucve1 prion1 nessus1 gentoo1