Search criteria
44 vulnerabilities by Gitea
CVE-2025-69413 (GCVE-0-2025-69413)
Vulnerability from cvelistv5 – Published: 2026-01-01 04:39 – Updated: 2026-01-05 19:56
VLAI?
Summary
In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.
Severity ?
5.3 (Medium)
CWE
- CWE-204 - Observable Response Discrepancy
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-69413",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-05T19:55:52.705571Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T19:56:03.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:golang/code.gitea.io/gitea",
"product": "Gitea",
"vendor": "Gitea",
"versions": [
{
"lessThan": "1.25.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.25.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204 Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-01T04:43:13.997Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://blog.gitea.com/release-of-1.25.2/"
},
{
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.2"
},
{
"url": "https://github.com/go-gitea/gitea/issues/35984"
},
{
"url": "https://github.com/go-gitea/gitea/pull/36002"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-69413",
"datePublished": "2026-01-01T04:39:48.140Z",
"dateReserved": "2026-01-01T04:39:47.889Z",
"dateUpdated": "2026-01-05T19:56:03.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68946 (GCVE-0-2025-68946)
Vulnerability from cvelistv5 – Published: 2025-12-26 04:14 – Updated: 2025-12-26 18:59
VLAI?
Summary
In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68946",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T14:42:13.330951Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T14:50:45.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:golang/code.gitea.io/gitea",
"product": "Gitea",
"vendor": "Gitea",
"versions": [
{
"lessThan": "1.20.1",
"status": "affected",
"version": "1.20.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.20.1",
"versionStartIncluding": "1.20.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T18:59:45.647Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://blog.gitea.com/release-of-1.20.1/"
},
{
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.20.1"
},
{
"url": "https://github.com/go-gitea/gitea/pull/25960"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-68946",
"datePublished": "2025-12-26T04:14:03.775Z",
"dateReserved": "2025-12-26T04:14:03.512Z",
"dateUpdated": "2025-12-26T18:59:45.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68945 (GCVE-0-2025-68945)
Vulnerability from cvelistv5 – Published: 2025-12-26 03:58 – Updated: 2025-12-26 18:59
VLAI?
Summary
In Gitea before 1.21.2, an anonymous user can visit a private user's project.
Severity ?
5.8 (Medium)
CWE
- CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68945",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T14:49:16.693875Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T14:50:50.723Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:golang/code.gitea.io/gitea",
"product": "Gitea",
"vendor": "Gitea",
"versions": [
{
"lessThan": "1.21.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.21.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Gitea before 1.21.2, an anonymous user can visit a private user\u0027s project."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T18:59:29.985Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://blog.gitea.com/release-of-1.21.2/"
},
{
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.21.2"
},
{
"url": "https://github.com/go-gitea/gitea/pull/28423"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-68945",
"datePublished": "2025-12-26T03:58:46.724Z",
"dateReserved": "2025-12-26T03:58:46.374Z",
"dateUpdated": "2025-12-26T18:59:29.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68944 (GCVE-0-2025-68944)
Vulnerability from cvelistv5 – Published: 2025-12-26 03:37 – Updated: 2025-12-26 19:28
VLAI?
Summary
Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.
Severity ?
5 (Medium)
CWE
- CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68944",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T19:28:17.625511Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T19:28:23.900Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:golang/code.gitea.io/gitea",
"product": "Gitea",
"vendor": "Gitea",
"versions": [
{
"lessThan": "1.22.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.22.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-441",
"description": "CWE-441 Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T18:59:09.375Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://blog.gitea.com/release-of-1.22.2/"
},
{
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.22.2"
},
{
"url": "https://github.com/go-gitea/gitea/pull/31967"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-68944",
"datePublished": "2025-12-26T03:37:28.693Z",
"dateReserved": "2025-12-26T03:37:28.412Z",
"dateUpdated": "2025-12-26T19:28:23.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68943 (GCVE-0-2025-68943)
Vulnerability from cvelistv5 – Published: 2025-12-26 03:19 – Updated: 2025-12-26 19:28
VLAI?
Summary
Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.
Severity ?
5.3 (Medium)
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68943",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T19:28:50.288272Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T19:28:57.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:golang/code.gitea.io/gitea",
"product": "Gitea",
"vendor": "Gitea",
"versions": [
{
"lessThan": "1.21.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.21.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea before 1.21.8 inadvertently discloses users\u0027 login times by allowing (for example) the lastlogintime explore/users sort order."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T18:58:55.452Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://blog.gitea.com/release-of-1.21.8-and-1.21.9-and-1.21.10/"
},
{
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.21.8"
},
{
"url": "https://github.com/go-gitea/gitea/pull/29430"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-68943",
"datePublished": "2025-12-26T03:19:45.242Z",
"dateReserved": "2025-12-26T03:19:44.968Z",
"dateUpdated": "2025-12-26T19:28:57.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68942 (GCVE-0-2025-68942)
Vulnerability from cvelistv5 – Published: 2025-12-26 02:50 – Updated: 2025-12-26 19:30
VLAI?
Summary
Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68942",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T19:29:56.320510Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T19:30:04.360Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:golang/code.gitea.io/gitea",
"product": "Gitea",
"vendor": "Gitea",
"versions": [
{
"lessThan": "1.22.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.22.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T18:58:40.767Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://blog.gitea.com/release-of-1.22.2/"
},
{
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.22.2"
},
{
"url": "https://github.com/go-gitea/gitea/pull/31966"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-68942",
"datePublished": "2025-12-26T02:50:35.144Z",
"dateReserved": "2025-12-26T02:50:34.878Z",
"dateUpdated": "2025-12-26T19:30:04.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68941 (GCVE-0-2025-68941)
Vulnerability from cvelistv5 – Published: 2025-12-26 02:31 – Updated: 2025-12-26 19:31
VLAI?
Summary
Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.
Severity ?
4.9 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68941",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T19:31:26.862350Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T19:31:33.303Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:golang/code.gitea.io/gitea",
"product": "Gitea",
"vendor": "Gitea",
"versions": [
{
"lessThan": "1.22.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.22.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T18:58:12.663Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://blog.gitea.com/release-of-1.22.3/"
},
{
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.22.3"
},
{
"url": "https://github.com/go-gitea/gitea/pull/32218"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-68941",
"datePublished": "2025-12-26T02:31:59.031Z",
"dateReserved": "2025-12-26T02:31:58.775Z",
"dateUpdated": "2025-12-26T19:31:33.303Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68940 (GCVE-0-2025-68940)
Vulnerability from cvelistv5 – Published: 2025-12-26 02:14 – Updated: 2025-12-26 18:57
VLAI?
Summary
In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68940",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T14:42:20.321275Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T14:50:55.781Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:golang/code.gitea.io/gitea",
"product": "Gitea",
"vendor": "Gitea",
"versions": [
{
"lessThan": "1.22.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.22.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T18:57:56.965Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://blog.gitea.com/release-of-1.22.5/"
},
{
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.22.5"
},
{
"url": "https://github.com/go-gitea/gitea/pull/32654"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-68940",
"datePublished": "2025-12-26T02:14:52.076Z",
"dateReserved": "2025-12-26T02:14:51.782Z",
"dateUpdated": "2025-12-26T18:57:56.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68939 (GCVE-0-2025-68939)
Vulnerability from cvelistv5 – Published: 2025-12-26 02:03 – Updated: 2025-12-26 18:57
VLAI?
Summary
Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.
Severity ?
8.2 (High)
CWE
- CWE-424 - Improper Protection of Alternate Path
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68939",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T14:40:06.574200Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T14:51:01.455Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:golang/code.gitea.io/gitea",
"product": "Gitea",
"vendor": "Gitea",
"versions": [
{
"lessThan": "1.23.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.23.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-424",
"description": "CWE-424 Improper Protection of Alternate Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T18:57:27.065Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://blog.gitea.com/release-of-1.23.0/"
},
{
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.23.0"
},
{
"url": "https://github.com/go-gitea/gitea/pull/32151"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-68939",
"datePublished": "2025-12-26T02:03:59.691Z",
"dateReserved": "2025-12-26T02:03:59.388Z",
"dateUpdated": "2025-12-26T18:57:27.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68938 (GCVE-0-2025-68938)
Vulnerability from cvelistv5 – Published: 2025-12-26 01:19 – Updated: 2025-12-26 18:53
VLAI?
Summary
Gitea before 1.25.2 mishandles authorization for deletion of releases.
Severity ?
4.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68938",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T14:42:22.299506Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T14:51:07.612Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:golang/code.gitea.io/gitea",
"product": "Gitea",
"vendor": "Gitea",
"versions": [
{
"lessThan": "1.25.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.25.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea before 1.25.2 mishandles authorization for deletion of releases."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T18:53:35.494Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://blog.gitea.com/release-of-1.25.2/"
},
{
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.2"
},
{
"url": "https://github.com/go-gitea/gitea/pull/36002/commits/d4262131b39899d9e9ee5caa2635c810d476e43f#diff-8962bac89952027d50fa51f31f59d65bedb4c02bde0265eced5cf256cbed306d"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-68938",
"datePublished": "2025-12-26T01:19:10.609Z",
"dateReserved": "2025-12-26T01:19:10.331Z",
"dateUpdated": "2025-12-26T18:53:35.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-6886 (GCVE-0-2024-6886)
Vulnerability from cvelistv5 – Published: 2024-08-06 03:23 – Updated: 2024-08-06 14:30
VLAI?
Title
Inproper Sanitation of field leading to stored XSS
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.This issue affects Gitea Open Source Git Server: 1.22.0.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gitea | Gitea Open Source Git Server |
Affected:
1.22.0
(semver)
|
Credits
Catalin Iovita (https://github.com/catalin-iovita)
Alexandru Postolache (https://github.com/alex-postolache)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gitea:gitea:1.22.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "gitea",
"vendor": "gitea",
"versions": [
{
"status": "affected",
"version": "1.22.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6886",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-06T14:26:58.912514Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-06T14:30:41.836Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gitea Open Source Git Server",
"repo": "https://github.com/go-gitea/gitea/",
"vendor": "Gitea",
"versions": [
{
"status": "affected",
"version": "1.22.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Catalin Iovita (https://github.com/catalin-iovita)"
},
{
"lang": "en",
"type": "finder",
"value": "Alexandru Postolache (https://github.com/alex-postolache)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.\u003cp\u003eThis issue affects Gitea Open Source Git Server: 1.22.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.This issue affects Gitea Open Source Git Server: 1.22.0."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-06T03:23:21.692Z",
"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"shortName": "Gitea"
},
"references": [
{
"url": "https://github.com/go-gitea/gitea/pull/31200"
},
{
"url": "https://blog.gitea.com/release-of-1.22.1/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Inproper Sanitation of field leading to stored XSS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"assignerShortName": "Gitea",
"cveId": "CVE-2024-6886",
"datePublished": "2024-08-06T03:23:21.692Z",
"dateReserved": "2024-07-18T18:22:45.238Z",
"dateUpdated": "2024-08-06T14:30:41.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-38795 (GCVE-0-2022-38795)
Vulnerability from cvelistv5 – Published: 2023-08-07 00:00 – Updated: 2024-10-17 14:43
VLAI?
Summary
In Gitea through 1.17.1, repo cloning can occur in the migration function.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T11:02:14.626Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/pull/20869"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/pull/20892"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.gitea.com/release-of-1.17.2/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-38795",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T14:43:39.668288Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T14:43:49.424Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Gitea through 1.17.1, repo cloning can occur in the migration function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-07T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/go-gitea/gitea/pull/20869"
},
{
"url": "https://github.com/go-gitea/gitea/pull/20892"
},
{
"url": "https://blog.gitea.com/release-of-1.17.2/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-38795",
"datePublished": "2023-08-07T00:00:00",
"dateReserved": "2022-08-27T00:00:00",
"dateUpdated": "2024-10-17T14:43:49.424Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3515 (GCVE-0-2023-3515)
Vulnerability from cvelistv5 – Published: 2023-07-05 14:12 – Updated: 2025-02-13 16:55
VLAI?
Title
Open Redirect in go-gitea/gitea
Summary
Open Redirect in GitHub repository go-gitea/gitea prior to 1.19.4.
Severity ?
CWE
- CWE-601 - URL Redirection to Untrusted Site
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| go-gitea | go-gitea/gitea |
Affected:
unspecified , < 1.19.4
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:55:03.595Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/e335cd18-bc4d-4585-adb7-426c817ed053"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/commit/9aaaf980f0ba15611f30568bd67bce3ec12954e2"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202312-13"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "go-gitea/gitea",
"vendor": "go-gitea",
"versions": [
{
"lessThan": "1.19.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open Redirect in GitHub repository go-gitea/gitea prior to 1.19.4."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-23T11:06:17.795Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/e335cd18-bc4d-4585-adb7-426c817ed053"
},
{
"url": "https://github.com/go-gitea/gitea/commit/9aaaf980f0ba15611f30568bd67bce3ec12954e2"
},
{
"url": "https://security.gentoo.org/glsa/202312-13"
}
],
"source": {
"advisory": "e335cd18-bc4d-4585-adb7-426c817ed053",
"discovery": "EXTERNAL"
},
"title": "Open Redirect in go-gitea/gitea"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-3515",
"datePublished": "2023-07-05T14:12:33.673Z",
"dateReserved": "2023-07-05T14:12:20.176Z",
"dateUpdated": "2025-02-13T16:55:48.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46685 (GCVE-0-2022-46685)
Vulnerability from cvelistv5 – Published: 2022-12-07 00:00 – Updated: 2025-04-23 14:13
VLAI?
Summary
In Jenkins Gitea Plugin 1.4.4 and earlier, the implementation of Gitea personal access tokens did not support credentials masking, potentially exposing them through the build log.
Severity ?
4.3 (Medium)
CWE
- CWE-319 - Cleartext Transmission of Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Jenkins Project | Jenkins Gitea Plugin |
Affected:
unspecified , ≤ 1.4.4
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:39:38.558Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.jenkins.io/security/advisory/2022-12-07/#SECURITY-2661"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-46685",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:57:16.100487Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T14:13:22.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jenkins Gitea Plugin",
"vendor": "Jenkins Project",
"versions": [
{
"lessThanOrEqual": "1.4.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Jenkins Gitea Plugin 1.4.4 and earlier, the implementation of Gitea personal access tokens did not support credentials masking, potentially exposing them through the build log."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T14:26:38.874Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"url": "https://www.jenkins.io/security/advisory/2022-12-07/#SECURITY-2661"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2022-46685",
"datePublished": "2022-12-07T00:00:00.000Z",
"dateReserved": "2022-12-06T00:00:00.000Z",
"dateUpdated": "2025-04-23T14:13:22.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-42968 (GCVE-0-2022-42968)
Vulnerability from cvelistv5 – Published: 2022-10-16 00:00 – Updated: 2025-05-14 14:34
VLAI?
Summary
Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled.
Severity ?
9.8 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:19:05.488Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/pull/21463"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.17.3"
},
{
"name": "GLSA-202210-14",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202210-14"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-42968",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-14T14:33:59.973332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T14:34:03.454Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-31T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/go-gitea/gitea/pull/21463"
},
{
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.17.3"
},
{
"name": "GLSA-202210-14",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202210-14"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42968",
"datePublished": "2022-10-16T00:00:00.000Z",
"dateReserved": "2022-10-16T00:00:00.000Z",
"dateUpdated": "2025-05-14T14:34:03.454Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-38183 (GCVE-0-2022-38183)
Vulnerability from cvelistv5 – Published: 2022-08-12 00:00 – Updated: 2024-08-03 10:45
VLAI?
Summary
In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:45:52.995Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/"
},
{
"tags": [
"x_transferred"
],
"url": "https://herolab.usd.de/security-advisories/usd-2022-0015/"
},
{
"name": "GLSA-202210-14",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202210-14"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-31T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/"
},
{
"url": "https://herolab.usd.de/security-advisories/usd-2022-0015/"
},
{
"name": "GLSA-202210-14",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202210-14"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-38183",
"datePublished": "2022-08-12T00:00:00",
"dateReserved": "2022-08-12T00:00:00",
"dateUpdated": "2024-08-03T10:45:52.995Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1928 (GCVE-0-2022-1928)
Vulnerability from cvelistv5 – Published: 2022-05-29 00:00 – Updated: 2024-08-03 00:17
VLAI?
Title
Cross-site Scripting (XSS) - Stored in go-gitea/gitea
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository go-gitea/gitea prior to 1.16.9.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| go-gitea | go-gitea/gitea |
Affected:
unspecified , < 1.16.9
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:17:00.935Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/6336ec42-5c4d-4f61-ae38-2bb539f433d2"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/commit/65e0688a5c9dacad50e71024b7529fdf0e3c2e9c"
},
{
"name": "GLSA-202210-14",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202210-14"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "go-gitea/gitea",
"vendor": "go-gitea",
"versions": [
{
"lessThan": "1.16.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository go-gitea/gitea prior to 1.16.9."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-31T00:00:00",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/6336ec42-5c4d-4f61-ae38-2bb539f433d2"
},
{
"url": "https://github.com/go-gitea/gitea/commit/65e0688a5c9dacad50e71024b7529fdf0e3c2e9c"
},
{
"name": "GLSA-202210-14",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202210-14"
}
],
"source": {
"advisory": "6336ec42-5c4d-4f61-ae38-2bb539f433d2",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in go-gitea/gitea"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1928",
"datePublished": "2022-05-29T00:00:00",
"dateReserved": "2022-05-28T00:00:00",
"dateUpdated": "2024-08-03T00:17:00.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-30781 (GCVE-0-2022-30781)
Vulnerability from cvelistv5 – Published: 2022-05-16 00:00 – Updated: 2024-08-03 06:56
VLAI?
Summary
Gitea before 1.16.7 does not escape git fetch remote.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:56:14.048Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/pull/19490"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/pull/19487"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.gitea.io/2022/05/gitea-1.16.7-is-released/"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/168400/Gitea-1.16.6-Remote-Code-Execution.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/169928/Gitea-Git-Fetch-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea before 1.16.7 does not escape git fetch remote."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-17T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/go-gitea/gitea/pull/19490"
},
{
"url": "https://github.com/go-gitea/gitea/pull/19487"
},
{
"url": "https://blog.gitea.io/2022/05/gitea-1.16.7-is-released/"
},
{
"url": "http://packetstormsecurity.com/files/168400/Gitea-1.16.6-Remote-Code-Execution.html"
},
{
"url": "http://packetstormsecurity.com/files/169928/Gitea-Git-Fetch-Remote-Code-Execution.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-30781",
"datePublished": "2022-05-16T00:00:00",
"dateReserved": "2022-05-16T00:00:00",
"dateUpdated": "2024-08-03T06:56:14.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-27313 (GCVE-0-2022-27313)
Vulnerability from cvelistv5 – Published: 2022-05-03 19:57 – Updated: 2024-08-03 05:25
VLAI?
Summary
An arbitrary file deletion vulnerability in Gitea v1.16.3 allows attackers to cause a Denial of Service (DoS) via deleting the configuration file.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:25:32.644Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/pull/19072"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An arbitrary file deletion vulnerability in Gitea v1.16.3 allows attackers to cause a Denial of Service (DoS) via deleting the configuration file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-03T19:57:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-gitea/gitea/pull/19072"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-27313",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An arbitrary file deletion vulnerability in Gitea v1.16.3 allows attackers to cause a Denial of Service (DoS) via deleting the configuration file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/go-gitea/gitea/pull/19072",
"refsource": "MISC",
"url": "https://github.com/go-gitea/gitea/pull/19072"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-27313",
"datePublished": "2022-05-03T19:57:11",
"dateReserved": "2022-03-21T00:00:00",
"dateUpdated": "2024-08-03T05:25:32.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1058 (GCVE-0-2022-1058)
Vulnerability from cvelistv5 – Published: 2022-03-24 14:15 – Updated: 2024-08-02 23:47
VLAI?
Title
Open Redirect on login in go-gitea/gitea
Summary
Open Redirect on login in GitHub repository go-gitea/gitea prior to 1.16.5.
Severity ?
7.2 (High)
CWE
- CWE-601 - URL Redirection to Untrusted Site
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| go-gitea | go-gitea/gitea |
Affected:
unspecified , < 1.16.5
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:43.285Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/commit/e3d8e92bdc67562783de9a76b5b7842b68daeb48"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "go-gitea/gitea",
"vendor": "go-gitea",
"versions": [
{
"lessThan": "1.16.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open Redirect on login in GitHub repository go-gitea/gitea prior to 1.16.5."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-24T14:15:12",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-gitea/gitea/commit/e3d8e92bdc67562783de9a76b5b7842b68daeb48"
}
],
"source": {
"advisory": "4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d",
"discovery": "EXTERNAL"
},
"title": "Open Redirect on login in go-gitea/gitea",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1058",
"STATE": "PUBLIC",
"TITLE": "Open Redirect on login in go-gitea/gitea"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "go-gitea/gitea",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.16.5"
}
]
}
}
]
},
"vendor_name": "go-gitea"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Open Redirect on login in GitHub repository go-gitea/gitea prior to 1.16.5."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-601 URL Redirection to Untrusted Site"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d"
},
{
"name": "https://github.com/go-gitea/gitea/commit/e3d8e92bdc67562783de9a76b5b7842b68daeb48",
"refsource": "MISC",
"url": "https://github.com/go-gitea/gitea/commit/e3d8e92bdc67562783de9a76b5b7842b68daeb48"
}
]
},
"source": {
"advisory": "4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1058",
"datePublished": "2022-03-24T14:15:12",
"dateReserved": "2022-03-23T00:00:00",
"dateUpdated": "2024-08-02T23:47:43.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29134 (GCVE-0-2021-29134)
Vulnerability from cvelistv5 – Published: 2022-03-15 20:30 – Updated: 2024-08-03 22:02
VLAI?
Summary
The avatar middleware in Gitea before 1.13.6 allows Directory Traversal via a crafted URL.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:50.625Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/pull/15125/files"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.13.6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The avatar middleware in Gitea before 1.13.6 allows Directory Traversal via a crafted URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-16T09:07:35",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-gitea/gitea/pull/15125/files"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.13.6"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29134",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The avatar middleware in Gitea before 1.13.6 allows Directory Traversal via a crafted URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/go-gitea/gitea/pull/15125/files",
"refsource": "MISC",
"url": "https://github.com/go-gitea/gitea/pull/15125/files"
},
{
"name": "https://github.com/go-gitea/gitea/releases/tag/v1.13.6",
"refsource": "MISC",
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.13.6"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29134",
"datePublished": "2022-03-15T20:30:58",
"dateReserved": "2021-03-24T00:00:00",
"dateUpdated": "2024-08-03T22:02:50.625Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0905 (GCVE-0-2022-0905)
Vulnerability from cvelistv5 – Published: 2022-03-10 00:00 – Updated: 2024-08-02 23:47
VLAI?
Title
Missing Authorization in go-gitea/gitea
Summary
Missing Authorization in GitHub repository go-gitea/gitea prior to 1.16.4.
Severity ?
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| go-gitea | go-gitea/gitea |
Affected:
unspecified , < 1.16.4
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:41.923Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/8d221f92-b2b1-4878-bc31-66ff272e5ceb"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/commit/1314f38b59748397b3429fb9bc9f9d6bac85d2f2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "go-gitea/gitea",
"vendor": "go-gitea",
"versions": [
{
"lessThan": "1.16.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization in GitHub repository go-gitea/gitea prior to 1.16.4."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-29T00:00:00",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/8d221f92-b2b1-4878-bc31-66ff272e5ceb"
},
{
"url": "https://github.com/go-gitea/gitea/commit/1314f38b59748397b3429fb9bc9f9d6bac85d2f2"
}
],
"source": {
"advisory": "8d221f92-b2b1-4878-bc31-66ff272e5ceb",
"discovery": "EXTERNAL"
},
"title": "Missing Authorization in go-gitea/gitea"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0905",
"datePublished": "2022-03-10T00:00:00",
"dateReserved": "2022-03-09T00:00:00",
"dateUpdated": "2024-08-02T23:47:41.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-45331 (GCVE-0-2021-45331)
Vulnerability from cvelistv5 – Published: 2022-02-09 17:22 – Updated: 2024-08-04 04:39
VLAI?
Summary
An Authentication Bypass vulnerability exists in Gitea before 1.5.0, which could let a malicious user gain privileges. If captured, the TOTP code for the 2FA can be submitted correctly more than once.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:39:20.655Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.gitea.io/2018/08/gitea-1.5.0-is-released/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/pull/3878"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An Authentication Bypass vulnerability exists in Gitea before 1.5.0, which could let a malicious user gain privileges. If captured, the TOTP code for the 2FA can be submitted correctly more than once."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-09T17:22:44",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.gitea.io/2018/08/gitea-1.5.0-is-released/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-gitea/gitea/pull/3878"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-45331",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An Authentication Bypass vulnerability exists in Gitea before 1.5.0, which could let a malicious user gain privileges. If captured, the TOTP code for the 2FA can be submitted correctly more than once."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.gitea.io/2018/08/gitea-1.5.0-is-released/",
"refsource": "MISC",
"url": "https://blog.gitea.io/2018/08/gitea-1.5.0-is-released/"
},
{
"name": "https://github.com/go-gitea/gitea/pull/3878",
"refsource": "MISC",
"url": "https://github.com/go-gitea/gitea/pull/3878"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-45331",
"datePublished": "2022-02-09T17:22:44",
"dateReserved": "2021-12-20T00:00:00",
"dateUpdated": "2024-08-04T04:39:20.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-45330 (GCVE-0-2021-45330)
Vulnerability from cvelistv5 – Published: 2022-02-09 17:16 – Updated: 2024-08-04 04:39
VLAI?
Summary
An issue exsits in Gitea through 1.15.7, which could let a malicious user gain privileges due to client side cookies not being deleted and the session remains valid on the server side for reuse.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:39:20.483Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/issues/4336"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue exsits in Gitea through 1.15.7, which could let a malicious user gain privileges due to client side cookies not being deleted and the session remains valid on the server side for reuse."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-09T17:16:16",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-gitea/gitea/issues/4336"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-45330",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue exsits in Gitea through 1.15.7, which could let a malicious user gain privileges due to client side cookies not being deleted and the session remains valid on the server side for reuse."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/go-gitea/gitea/issues/4336",
"refsource": "MISC",
"url": "https://github.com/go-gitea/gitea/issues/4336"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-45330",
"datePublished": "2022-02-09T17:16:16",
"dateReserved": "2021-12-20T00:00:00",
"dateUpdated": "2024-08-04T04:39:20.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-45329 (GCVE-0-2021-45329)
Vulnerability from cvelistv5 – Published: 2022-02-08 22:26 – Updated: 2024-08-04 04:39
VLAI?
Summary
Cross Site Scripting (XSS) vulnerability exists in Gitea before 1.5.1 via the repository settings inside the external wiki/issue tracker URL field.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:39:20.536Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.gitea.io/2018/09/gitea-1.5.1-is-released/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/pull/4710"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) vulnerability exists in Gitea before 1.5.1 via the repository settings inside the external wiki/issue tracker URL field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-08T22:26:52",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.gitea.io/2018/09/gitea-1.5.1-is-released/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-gitea/gitea/pull/4710"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-45329",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS) vulnerability exists in Gitea before 1.5.1 via the repository settings inside the external wiki/issue tracker URL field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.gitea.io/2018/09/gitea-1.5.1-is-released/",
"refsource": "MISC",
"url": "https://blog.gitea.io/2018/09/gitea-1.5.1-is-released/"
},
{
"name": "https://github.com/go-gitea/gitea/pull/4710",
"refsource": "MISC",
"url": "https://github.com/go-gitea/gitea/pull/4710"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-45329",
"datePublished": "2022-02-08T22:26:52",
"dateReserved": "2021-12-20T00:00:00",
"dateUpdated": "2024-08-04T04:39:20.536Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-45328 (GCVE-0-2021-45328)
Vulnerability from cvelistv5 – Published: 2022-02-08 15:14 – Updated: 2024-08-04 04:39
VLAI?
Summary
Gitea before 1.4.3 is affected by URL Redirection to Untrusted Site ('Open Redirect') via internal URLs.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:39:20.543Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.gitea.io/2018/06/release-of-1.4.3/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/issues/4332"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea before 1.4.3 is affected by URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) via internal URLs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-08T15:14:10",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.gitea.io/2018/06/release-of-1.4.3/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-gitea/gitea/issues/4332"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-45328",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Gitea before 1.4.3 is affected by URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) via internal URLs."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.gitea.io/2018/06/release-of-1.4.3/",
"refsource": "MISC",
"url": "https://blog.gitea.io/2018/06/release-of-1.4.3/"
},
{
"name": "https://github.com/go-gitea/gitea/issues/4332",
"refsource": "MISC",
"url": "https://github.com/go-gitea/gitea/issues/4332"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-45328",
"datePublished": "2022-02-08T15:14:10",
"dateReserved": "2021-12-20T00:00:00",
"dateUpdated": "2024-08-04T04:39:20.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-45327 (GCVE-0-2021-45327)
Vulnerability from cvelistv5 – Published: 2022-02-08 14:57 – Updated: 2024-08-04 04:39
VLAI?
Summary
Gitea before 1.11.2 is affected by Trusting HTTP Permission Methods on the Server Side when referencing the vulnerable admin or user API. which could let a remote malisious user execute arbitrary code.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:39:20.407Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.gitea.io/2020/03/gitea-1.11.2-is-released/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/pull/10462"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/pull/10465"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/pull/10582"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea before 1.11.2 is affected by Trusting HTTP Permission Methods on the Server Side when referencing the vulnerable admin or user API. which could let a remote malisious user execute arbitrary code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-08T14:57:36",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.gitea.io/2020/03/gitea-1.11.2-is-released/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-gitea/gitea/pull/10462"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-gitea/gitea/pull/10465"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-gitea/gitea/pull/10582"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-45327",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Gitea before 1.11.2 is affected by Trusting HTTP Permission Methods on the Server Side when referencing the vulnerable admin or user API. which could let a remote malisious user execute arbitrary code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.gitea.io/2020/03/gitea-1.11.2-is-released/",
"refsource": "MISC",
"url": "https://blog.gitea.io/2020/03/gitea-1.11.2-is-released/"
},
{
"name": "https://github.com/go-gitea/gitea/pull/10462",
"refsource": "MISC",
"url": "https://github.com/go-gitea/gitea/pull/10462"
},
{
"name": "https://github.com/go-gitea/gitea/pull/10465",
"refsource": "MISC",
"url": "https://github.com/go-gitea/gitea/pull/10465"
},
{
"name": "https://github.com/go-gitea/gitea/pull/10582",
"refsource": "MISC",
"url": "https://github.com/go-gitea/gitea/pull/10582"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-45327",
"datePublished": "2022-02-08T14:57:36",
"dateReserved": "2021-12-20T00:00:00",
"dateUpdated": "2024-08-04T04:39:20.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-45326 (GCVE-0-2021-45326)
Vulnerability from cvelistv5 – Published: 2022-02-08 14:48 – Updated: 2024-08-04 04:39
VLAI?
Summary
Cross Site Request Forgery (CSRF) vulnerability exists in Gitea before 1.5.2 via API routes.This can be dangerous especially with state altering POST requests.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:39:20.443Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.gitea.io/2018/10/gitea-1.5.2-is-released/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/pull/4840"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/issues/4838"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Request Forgery (CSRF) vulnerability exists in Gitea before 1.5.2 via API routes.This can be dangerous especially with state altering POST requests."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-08T14:48:50",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.gitea.io/2018/10/gitea-1.5.2-is-released/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-gitea/gitea/pull/4840"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-gitea/gitea/issues/4838"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-45326",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross Site Request Forgery (CSRF) vulnerability exists in Gitea before 1.5.2 via API routes.This can be dangerous especially with state altering POST requests."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.gitea.io/2018/10/gitea-1.5.2-is-released/",
"refsource": "MISC",
"url": "https://blog.gitea.io/2018/10/gitea-1.5.2-is-released/"
},
{
"name": "https://github.com/go-gitea/gitea/pull/4840",
"refsource": "MISC",
"url": "https://github.com/go-gitea/gitea/pull/4840"
},
{
"name": "https://github.com/go-gitea/gitea/issues/4838",
"refsource": "MISC",
"url": "https://github.com/go-gitea/gitea/issues/4838"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-45326",
"datePublished": "2022-02-08T14:48:50",
"dateReserved": "2021-12-20T00:00:00",
"dateUpdated": "2024-08-04T04:39:20.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-45325 (GCVE-0-2021-45325)
Vulnerability from cvelistv5 – Published: 2022-02-08 14:36 – Updated: 2024-08-04 04:39
VLAI?
Summary
Server Side Request Forgery (SSRF) vulneraility exists in Gitea before 1.7.0 using the OpenID URL.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:39:20.458Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.gitea.io/2019/01/gitea-1.7.0-is-released/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/pull/5705"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server Side Request Forgery (SSRF) vulneraility exists in Gitea before 1.7.0 using the OpenID URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-08T14:36:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.gitea.io/2019/01/gitea-1.7.0-is-released/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-gitea/gitea/pull/5705"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-45325",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Server Side Request Forgery (SSRF) vulneraility exists in Gitea before 1.7.0 using the OpenID URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.gitea.io/2019/01/gitea-1.7.0-is-released/",
"refsource": "MISC",
"url": "https://blog.gitea.io/2019/01/gitea-1.7.0-is-released/"
},
{
"name": "https://github.com/go-gitea/gitea/pull/5705",
"refsource": "MISC",
"url": "https://github.com/go-gitea/gitea/pull/5705"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-45325",
"datePublished": "2022-02-08T14:36:14",
"dateReserved": "2021-12-20T00:00:00",
"dateUpdated": "2024-08-04T04:39:20.458Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28378 (GCVE-0-2021-28378)
Vulnerability from cvelistv5 – Published: 2021-03-15 05:20 – Updated: 2024-08-03 21:40
VLAI?
Summary
Gitea 1.12.x and 1.13.x before 1.13.4 allows XSS via certain issue data in some situations.
Severity ?
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:40:14.222Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/go-gitea/gitea/pull/14898"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.gitea.io/2021/03/gitea-1.13.4-is-released/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PandatiX/CVE-2021-28378"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea 1.12.x and 1.13.x before 1.13.4 allows XSS via certain issue data in some situations."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AC:H/AV:N/A:N/C:L/I:L/PR:L/S:U/UI:R",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-24T21:01:38",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-gitea/gitea/pull/14898"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.gitea.io/2021/03/gitea-1.13.4-is-released/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PandatiX/CVE-2021-28378"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-28378",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Gitea 1.12.x and 1.13.x before 1.13.4 allows XSS via certain issue data in some situations."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AC:H/AV:N/A:N/C:L/I:L/PR:L/S:U/UI:R",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/go-gitea/gitea/pull/14898",
"refsource": "MISC",
"url": "https://github.com/go-gitea/gitea/pull/14898"
},
{
"name": "https://blog.gitea.io/2021/03/gitea-1.13.4-is-released/",
"refsource": "MISC",
"url": "https://blog.gitea.io/2021/03/gitea-1.13.4-is-released/"
},
{
"name": "https://github.com/PandatiX/CVE-2021-28378",
"refsource": "MISC",
"url": "https://github.com/PandatiX/CVE-2021-28378"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-28378",
"datePublished": "2021-03-15T05:20:50",
"dateReserved": "2021-03-15T00:00:00",
"dateUpdated": "2024-08-03T21:40:14.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}