CVE-2022-38183

In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/	Release Notes Vendor Advisory
https://herolab.usd.de/security-advisories/usd-2022-0015/	Broken Link
https://security.gentoo.org/glsa/202210-14	Third Party Advisory
https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/	Release Notes Vendor Advisory
https://herolab.usd.de/security-advisories/usd-2022-0015/	Broken Link
https://security.gentoo.org/glsa/202210-14	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:15

Type	Values Removed	Values Added
References	~~() https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/ - Release Notes, Vendor Advisory~~	() https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/ - Release Notes, Vendor Advisory
References	~~() https://herolab.usd.de/security-advisories/usd-2022-0015/ - Broken Link~~	() https://herolab.usd.de/security-advisories/usd-2022-0015/ - Broken Link
References	~~() https://security.gentoo.org/glsa/202210-14 - Third Party Advisory~~	() https://security.gentoo.org/glsa/202210-14 - Third Party Advisory

08 Aug 2023, 14:22

Type	Values Removed	Values Added
CWE	~~CWE-732~~	CWE-862

Information

Published : 2022-08-12 20:15

Updated : 2024-11-21 07:15

NVD link : CVE-2022-38183

Mitre link : CVE-2022-38183

CVE.ORG link : CVE-2022-38183

JSON object : View

Products Affected

gitea

gitea

CWE

CWE-862

Missing Authorization

{"id": "CVE-2022-38183", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2022-08-12T20:15:09.940", "references": [{"url": "https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://herolab.usd.de/security-advisories/usd-2022-0015/", "tags": ["Broken Link"], "source": "cve@mitre.org"}, {"url": "https://security.gentoo.org/glsa/202210-14", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/", "tags": ["Release Notes", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://herolab.usd.de/security-advisories/usd-2022-0015/", "tags": ["Broken Link"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/202210-14", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles."}, {"lang": "es", "value": "En Gitea versiones anteriores a 1.16.9, era posible que usuarios a\u00f1adieran incidencias existentes a los proyectos. Debido a controles de acceso inapropiados, un atacante pod\u00eda asignar cualquier incidencia a cualquier proyecto en Gitea (no hab\u00eda comprobaci\u00f3n de permisos para obtener la incidencia). Como resultado, el atacante pod\u00eda acceder a t\u00edtulos de las incidencias privadas."}], "lastModified": "2024-11-21T07:15:57.377", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3579D3E-0B48-4B91-9CAE-17E492E4B702", "versionEndExcluding": "1.16.9"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}