CVE-2022-38183

EUVD-2022-6551
In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 48%
Affected Products (NVD)
VendorProductVersion
giteagitea
𝑥
< 1.16.9
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-code.gitea-git
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
kinetic
ignored
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
golang-code.gitea-sdk
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
kinetic
ignored
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
Common Weakness Enumeration
References
https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/
https://herolab.usd.de/security-advisories/usd-2022-0015/
https://security.gentoo.org/glsa/202210-14
https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/
https://herolab.usd.de/security-advisories/usd-2022-0015/
https://security.gentoo.org/glsa/202210-14