CVE-2022-38183
Severity Score
6.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles.
En Gitea versiones anteriores a 1.16.9, era posible que usuarios añadieran incidencias existentes a los proyectos. Debido a controles de acceso inapropiados, un atacante podía asignar cualquier incidencia a cualquier proyecto en Gitea (no había comprobación de permisos para obtener la incidencia). Como resultado, el atacante podía acceder a títulos de las incidencias privadas.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-08-12 CVE Reserved
- 2022-08-12 CVE Published
- 2024-06-28 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-862: Missing Authorization
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://herolab.usd.de/security-advisories/usd-2022-0015 | Broken Link |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://blog.gitea.io/2022/07/gitea-1.16.9-is-released | 2023-08-08 | |
| https://security.gentoo.org/glsa/202210-14 | 2023-08-08 |