Vulnerability Description
In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gitea | Gitea | < 1.16.9 |
Related Weaknesses (CWE)
References
- https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/Release NotesVendor Advisory
- https://herolab.usd.de/security-advisories/usd-2022-0015/Broken Link
- https://security.gentoo.org/glsa/202210-14Third Party Advisory
- https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/Release NotesVendor Advisory
- https://herolab.usd.de/security-advisories/usd-2022-0015/Broken Link
- https://security.gentoo.org/glsa/202210-14Third Party Advisory
FAQ
What is CVE-2022-38183?
CVE-2022-38183 is a vulnerability with a CVSS score of 6.5 (MEDIUM). In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permissi...
How severe is CVE-2022-38183?
CVE-2022-38183 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-38183?
Check the references section above for vendor advisories and patch information. Affected products include: Gitea Gitea.