CVE-2022-38183 — Missing Authorization in Gitea

CWE-862 — Missing Authorization CWE-732 — Incorrect Permission Assignment5 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 50.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Code.gitea.io Gitea Gitea

Timeline

PublishedAug 12

Latest updateJun 10

Description

In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDgitea/gitea< 1.16.9

▶Gocode.gitea.io/gitea< 1.16.9

🔴Vulnerability Details

OSV

Gitea allowed assignment of private issues in code.gitea.io/gitea↗2024-06-10

▶

OSV

Gitea allowed assignment of private issues↗2022-08-13

▶

GHSA

Gitea allowed assignment of private issues↗2022-08-13

▶

OSV

CVE-2022-38183: In Gitea before 1↗2022-08-12

▶