Improper Access Control in Gitea Web-Based Platform
CVE-2022-38183

6.5MEDIUM

Key Information:

Vendor

Gitea

Status
Gitea
Vendor
CVE Published:
12 August 2022

What is CVE-2022-38183?

In Gitea prior to version 1.16.9, a significant security flaw allowed users to add existing issues to projects without proper permissions. This improper access control meant that an attacker could manipulate project assignments by associating any issue with any project, thereby gaining unauthorized visibility into private issue titles. This loophole poses a risk for sensitive information leakage and can compromise the confidentiality of projects on the Gitea platform.

References

https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/
https://herolab.usd.de/security-advisories/usd-2022-0015/
https://security.gentoo.org/glsa/202210-14
vendor-advisory

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2022-38183 : Improper Access Control in Gitea Web-Based Platform