CVE-2022-38183

In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 43%
VendorProductVersion
giteagitea
𝑥
< 1.16.9
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-code.gitea-git
noble
dne
mantic
dne
lunar
dne
kinetic
ignored
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
dne
trusty
dne
golang-code.gitea-sdk
noble
dne
mantic
dne
lunar
dne
kinetic
ignored
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
dne
trusty
dne
Common Weakness Enumeration
References
https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/
https://herolab.usd.de/security-advisories/usd-2022-0015/
https://security.gentoo.org/glsa/202210-14
https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/
https://herolab.usd.de/security-advisories/usd-2022-0015/
https://security.gentoo.org/glsa/202210-14