First published: Fri Aug 12 2022(Updated: )
In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Gitea Gitea | <1.16.9 | |
go/code.gitea.io/gitea | <1.16.9 | 1.16.9 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2022-38183.
The severity of CVE-2022-38183 is medium with a CVSS score of 6.5.
Gitea versions before 1.16.9 are affected by CVE-2022-38183.
An attacker can exploit CVE-2022-38183 by assigning any issue to any project in Gitea, regardless of permissions.
Yes, you can find references for CVE-2022-38183 at the following URLs: [Reference 1](https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/), [Reference 2](https://herolab.usd.de/security-advisories/usd-2022-0015/), [Reference 3](https://security.gentoo.org/glsa/202210-14)